What  Seems  t 
Be  the  Probl  am? 

ace  lots 

of  challenges,  hut  the  toughest 
isn’t  technical,  page  26 


iH 


Insic ; 

JULY  14,  2008 

VOL.  42,  NO.  29  Sb/COPY 

News  Analysis 

A  ca  he-poisoning 
flaw  found  in  the  DNS 
pr  oco  puts  domain 
name  servers  at  risk 
of  attack,  page  12 

Seven  years  after  it 
faigan,  an  effort  to  set 
up  a  national  disease¬ 
tracking  system  still 
isn’t  finished,  page  16 

the  grill:  Simmons 
E  adding’s  CIO  touts 
the  value  of  just-in- 
time  systems  id 
andardized  IT.  page  20 


Opinion 

Const  ifant,  adviser, 
outsourcer  -  the  l<  iel 
yc  u  choose  defines  the 
re  iti  nship.  page  42 


C  ireers 

Tf  i  economic  slow¬ 
down  begins  to  hit  the 
IT  job  market,  page  45 


)ift  Miss . . . 

on  the  mark:  There’s 
a  data  deficit  where 
you’d  least  expect  it: 
in  the  CIO’s  office. 

PAGE  18 


PtilP  v'_“ 


Continental 


Flight  crews  don't  have  an  office  to  check  into.  At  Continental  Airlines; 
they  have  the  Web-based  Crew  Communications  System,  where  they 
log  on,  check  schedules,  and  trade  shifts.  To  ensure  everyone  arrives 
on  time,  they  migrated  to  Windows  Server"  2008.  Get  the  full  story  at 

serverunleashed.com 


■  NEWS  DIGEST 

6  The  Nielsen  Co.  gives  up  tax 
breaks  in  Florida  because  of  the 
political  fallout  from  an  offshor¬ 
ing  deal.  |  VMware  replaces  its 

CEO  with  a  former  Microsoft  exec. 

8  The  EPA  expects  to 
introduce  an  initial  Energy 
Star  rating  for  servers 
by  year’s  end.  \  Supporters 

of  Barack  Obama  use  his 
campaign’s  social  net¬ 
working  site  to  protest 
his  stance  on  the  FISA  bill. 

lOThelTSMF  USA 

claims  its  former  executive 
director  defamed  the  group  in  blog 
posts  made  under  a  fictitious  fe¬ 
male  name. 

■  NEWS  ANALYSIS 

12  DNS  Hole  Doesn’t  Go  Un¬ 
noticed.  A  flaw  in  the  DNS  protocol 
prompts  a  synchronized  patching 
effort  by  vendors,  plus  a  chorus  of 
calls  for  users  to  install  the  fixes. 

16  Seven  Years  and  Counting: 
National  Disease-Tracking 
System  Still  Unfinished.  A 

dozen  states  have  yet  to  install 
technology  needed  to  enable  public 
health  officials  nationwide  to  use  the 
Web  to  monitor  disease  outbreaks. 

■  OPINION 

4  Editor’s  Note:  Don  Tennant 

finds  many  IT  pros  to  be  insightful,  but 
too  many  in  the  profession  too  easily 
find  occasion  to  slip  into  denial  mode. 

25  Michael  H.  Hugos  explains 
how  agile  analysts  hit  the  ground 
running. 

42  Paul  Glen  has  discovered 
that  getting  value  from  outside 
advisers  has  a  lot  to  do  with 
what  you  call  them. 

48  Frankly  Speaking:  Frank 
Hayes  warns  everyone  to  fix  their 
DNS  implementations  without  delay. 


■  DEPARTMENTS 


[]ftS,8»Tit*EVEKroHE  ElSi'S1 


18  On  the  Mark:  Mark  Hail 

hears  about  a  data  deficit  where 
you’d  least  expect  it:  in  the  CIO’s 
office. 


20  The  Griff:  CIO  W.  Wade  Vann 

says  the  keys  to  success  for  Sim¬ 
mons  Bedding  Co.  are  “plain  vanilla” 
systems,  standardization  and  just- 
in-time  IT. 


38  Security  Manager’s  Jour¬ 
nal:  Shoveling  Sand  Against 
the  Tide.  The  frustrations  of 
slashed  budgets  and  inadequate 
manpower  come  to  a  head.  Is  it  time 
for  a  change? 

45  Career  Watch:  The  economic 
slowdown  hits  IT;  and  demand  for 
SAP  skills  leads  to  a  spike  in  pay. 

47  Shark  Tank:  Users  say  their 
printer  has  a  magic  button  that  ejects 
the  paper  tray.  But 
one  day,  the  magic 
stops  -  and  so  does 
the  printer. 

■  ALSO  IN  THIS  ISSUE 
Letters  5 

Company  Index  47 


ILLUSTRATION  BY  VIKTOR  KOEN 


■  FEATURES 

26  E-medical  Records: 
What  Seems  to  Be 
The  Problem? 

COVER  STORY:  Progress  on  electronic  health  records 
has  been  held  back  by  technical  issues,  but  the  biggest 
obstacle  may  be  a  payment  system  that  lacks  financial 
incentives  for  health  care  providers. 


35  Quality  Over  Quantity 

Johnson  &  Johnson’s  approach  to  application  support 
uses  more  service-level  metrics  and  fewer  vendors. 


36  Should  We 
Tell  the  Boss? 

We  asked  CIOs  to  talk  about  the 
kinds  of  messages  they  need  to 
hear  loud  and  clear  from  their 


9 


staffers  -  and  the  things  they 
never,  ever  want  to  hear. 
Find  out  what  they  said. 


Proven  Success 

SAS  and  Lilly 

“With  SAS’  software,  we  can  focus  on  regulatory  compliance 
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m  EDITOR’S  NOTE 

Don  Tennant 


Insight  and  Denial 

INFORMATION  TECHNOLOGY  pros  are  an  insightful 
breed.  I  know  my  fair  share  of  them,  and  I’ve  noticed 
that  a  lot  of  them  tend  to  focus  on  how  practical  infor¬ 
mation  and  lessons  learned  can  be  applied  to  their  work, 
even  when  the  lessons  come  from  outside  of  the  profession. 


An  example  presented 
itself  a  couple  of  weeks 
ago  in  an  e-mail  ex¬ 
change  with  Dale  Frantz, 
CIO  at  Auto  Warehous¬ 
ing  Co.  I’d  recounted  a 
story  about  a  mishap  I’d 
had  at  our  recent  Infra¬ 
structure  Management 
World  conference  at  the 
new  Gaylord  National 
Hotel  near  Washington. 

I  had  driven  my  be¬ 
loved  Mazda  MX-5  (the 
model  formerly  known  as 
Miata)  from  Massachu¬ 
setts,  and  I  entrusted  it  to 
the  hotel’s  parking  valets 
for  safekeeping.  On  the 
morning  I  checked  out, 

I  called  to  have  my  car 
retrieved  and  waited  at 
the  hotel’s  entrance.  And 
waited.  And  waited. 

After  about  30  minutes 
and  several  inquiries, 

I  was  finally  given  the 
apologetic  explanation 
that  the  police  had  one 
of  the  streets  blocked  off. 
Another  15  or  20  minutes 
passed,  and  a  sympathet¬ 
ic  bellman  said  there  had 
been  an  accident  near  the 
valet  lot  and  a  backlog 
was  forming  because  a 


lot  of  people  were  check¬ 
ing  out.  About  20  min¬ 
utes  later,  a  valet  who  had 
been  fetching  cars  said 
he  had  seen  the  silver 
Miata  and  there  was . . . 
um ...  a  problem  getting 
it  out  of  the  lot.  Finally, 

I  was  approached  by  the 
head  valet  manager.  “Mr. 
Tennant,”  he  said,  “I  have 
some  bad  news.” 

There  had  been  an  ac¬ 
cident,  all  right.  It  turned 
out  that  the  young  wom¬ 
an  who  was  retrieving 
my  car  hit  another  valet 
who  had  run  out  in  front 
of  her,  then  she  swerved 
into  a  pole  and  smashed 
up  the  left  side  of  the 
car.  The  poor  guy  she  hit 
suffered  a  compound  leg 
fracture  and  was  taken 
away  in  an  ambulance, 
so  I  could  hardly  get  too 
upset  when  I  saw  the 
damage  to  my  car.  At 

■  People  in  the 
IT  industry  have 
some  strange 
habits,  Frantz  said, 
most  of  which  are 
self-destructive. 


least  it  was  still  drivable, 
and  it  can  be  fixed.  There 
was  only  one  thing  that 
really  bothered  me.  Why 
was  I  kept  in  the  dark  for 
well  over  an  hour?  Why 
wasn’t  I  immediately 
informed?  It’s  not  like  I 
wouldn’t  eventually  find 
out,  you  know? 

I  found  Frantz’s  re¬ 
sponse  to  the  tale  very 
interesting. 

“There’s  a  career  IT 
parallel  here,”  he  wrote. 
“When  IT  projects  have 
problems,  it  seems  that 
the  ‘delay  and  cover  up’ 
is  what  happens  with 
reporting  back  to  senior 
management.  ‘Maybe  the 
CEO  won’t  notice  that 
we’re  not  delivering  this 
project  well  past  the  time 
expected,’  or  ‘Maybe  the 
CEO/CFO  won’t  notice 
the  fact  that  our  project 
has  been  in  a  wreck  and 
is  severely  damaged. 
Maybe  our  internal  cus¬ 
tomers  will  just  ignore  it 
and  go  away.’  ” 

People  in  the  IT  indus¬ 
try  have  some  strange 
habits,  Frantz  said, 
most  of  which  are  self¬ 


destructive.  I  would  add 
that  slipping  into  denial 
mode  may  be  the  most 
destructive  of  all. 

You  may  recall  from 
our  reporting  that 
Frantz  has  embarked 
on  a  pioneering  project 
to  migrate  his  formerly 
all-Microsoft  IT  shop 
at  AWC  to  the  Mac.  He 
mentioned  in  our  e-mail 
exchange  that  the  conver¬ 
sion,  which  began  about 
a  year  ago,  is  ahead  of 
schedule  and  has  already 
saved  him  nearly  $1  mil¬ 
lion  in  license  fees. 

Yet  there  is  still  wide¬ 
spread  denial  among  IT 
pros  that  Apple  in  the 
enterprise  is  anything  but 
a  “novelty”  or  that  it’s  a 
viable  Microsoft  alterna¬ 
tive  (check  out  the  reader 
comments  to  our  story 
“Study:  8  in  10  Businesses 
Now  Using  Macs,”  posted 
on  our  Web  site  on  June  26). 

Meanwhile,  Frantz  says 
AWC  is  “thriving  during 
these  bleak  economic 
times,”  due  in  no  small 
part  to  his  switch  to  Macs. 
That’s  something  that  all 
those  IT  pros  who  think 
their  CEOs  won’t  notice 
the  Microsoft  money  pit 
might  want  to  consider.  ■ 
Don  Tennant  is  editorial 
director  of  Computerworld 
and  InfoWorld.  Contact 
him  at  don_tennant@ 
computerworld.com, 
and  visit  his  blog  at  http:// 
blogs.computerworld.com/ 
tennant. 
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■  LETTERS 


Genderiess  Insights 

Don  Tennant’s  June  23  column, 

“The  Bigger  Question,”  on  gender  in 
IT  was  insightful,  but  not  necessar¬ 
ily  because  of  anything  to  do  with 
gender.  Please  let  me  explain. 

I  have  been  in  IT  for  over  40  years. 
I  knew  I  was  in  a  non-mentoring 
business.  I  knew  that  I  worked  alone 
a  lot.  I  knew  that  I  worked  long 
hours  to  get  things  done.  I  knew 
that  I  carried  work  home  to  “have 
fun”  on  the  weekends.  I  knew  that 
I  would  go  into  work  in  the  middle 
of  the  night  once  in  a  while.  I  knew 
that  my  social  life  was  almost  non¬ 
existent.  I  knew  lots  of  the  things 
Tennant  mentioned  and  alluded  to, 
but  this  was  the  first  time  I  saw  it 
articulated  in  such  plain  English.  I 
was  able  to  open  my  eyes  and  see 
exactly  what  he  was  saying. 

Thanks  for  saying  what  I  have 
been  working  too  hard  to  be  able 
to  see. 

■  Dave  Bonar,  Greater  New  Orleans 


Finding  True  Diversity 

The  Grill  interview  with  Laraine 
Rodgers  [June  23]  was  terrific  — 
what  a  tremendous  career  arc,  with 
the  added  dimension  of  her  experi¬ 
ences  as  a  woman  in  IT. 

And  this  same  issue  of  the  maga¬ 
zine  included  columns  from  Vir¬ 
ginia  Robbins  and  C.J.  Kelly.  These 
women  all  had  something  interest¬ 
ing  to  say  about  IT,  but  from  a  non¬ 
male  perspective. 

Computerworld  is  doing  a  great 
job  finding  and  showcasing  IT 
professionals  across  the  spectrum. 
These  are  not  the  “same  old,  same 
old”  standard-bearers  for  symbolic 
diversity  that  I  was  seeing  over  and 
over  in  earlier  days  (Carly  Fiorina, 
anyone?),  but  a  truly  diverse  and 
interesting  group. 

Thanks  for  making  the  effort  to 
identify  and  cover  IT  from  so  many 
different  perspectives. 

■  Elizabeth  Gray,  PMP,  business 
systems  analyst,  Austin 
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THE  NIELSEN  co.  is  giv¬ 
ing  up  tax  breaks  that 
have  netted  it  $1.4  mil¬ 
lion  since  2001,  in  response 
to  political  fallout  from  an 
IT  offshoring  deal  that  has 
led  to  layoffs  at  its  global 
technology  center  in  Olds- 
mar,  Fla. 

Nielsen,  which  is  best 
known  for  measuring  TV  au¬ 
diences,  began  getting  the  tax 
breaks  after  agreeing  to  build 
the  $100  million  facility  in 
Oldsmar,  west  of  Tampa.  The 
incentives  were  pegged  to 
the  number  of  jobs  paying  at 
least  $52,000  annually  at  the 
tech  center,  which  had  about 
1,200  employees  at  first  and 
grew  its  workforce  to  1,700. 


In  addition  to  the 
$1.4  million  in  tax  breaks 
that  Nielsen  has  received 
from  the  Oldsmar  and  Pinel¬ 
las  County  governments, 
the  company  got  $1.7  million 
from  the  state  under  an  in¬ 
centive  program  that  has  ex¬ 
pired.  The  local  incentives, 
though,  were  scheduled  to 
continue  until  2016. 

But  then  last  October, 
Nielsen  announced  a  10- 
year,  $1.2  billion  outsourcing 
agreement  with  India-based 
Tata  Consultancy  Services 
Ltd.  That  move  was  followed 
in  April  by  the  news  that  117 
people  at  the  Oldsmar  tech 
center  would  be  laid  off. 

Although  50  of  those 


THE  WEEK  AHEAD 

TUESDAY:  Oracle  is  due  to  release  45  software  patches  as 
part  of  its  latest  quarterly  batch  of  security  fixes. 

TUESDAY:  The  Senate  Judiciary  Committee’s  antitrust 
subcommittee  plans  to  hold  a  hearing  on  the  search-results 
advertising  deal  signed  by  Google  and  Yahoo  last  month. 

THURSDAY:  Microsoft  and  Google  are  both  scheduled  to 
report  their  latest  financial  results.  Chip  rivals  Intel  and  AMD 
also  plan  to  file  earnings  reports  this  week. 
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employees  have  since  been 
hired  by  Tata,  Nielsen  late 
last  month  said  that  it  was 
cutting  another  170  jobs  in 
Oldsmar  —  and  that  some 
of  the  affected  workers  are 
training  Tata  employees  to 
do  their  work.  The  company 
now  expects  to  have  about 
1,300  employees  at  the  facil¬ 
ity  by  year’s  end,  plus  250  or 
so  contract  workers. 

Gary  Holmes,  a  spokes¬ 
man  for  Nielsen,  said  the 
company  decided  to  pull  out 
of  the  tax-break  program 
after  members  of  the  Olds¬ 
mar  city  council  expressed 
“second  thoughts  about  the 
agreement”  because  of  the 
layoffs.  “It  became  kind  of 
an  emotional  issue,”  he  said. 

That’s  evident  from  the 
minutes  of  a  council  meet¬ 
ing  held  in  April.  One  mem¬ 
ber  accused  Nielsen,  the 
city’s  largest  employer,  of 
“making  a  joke  of  the  tax- 
incentive  program,”  while 
another  said  the  company 
“had  abdicated  [its]  responsi¬ 
bility  as  a  corporate  citizen.” 

Despite  the  layoffs,  the  in¬ 
centive  deal  “did  everything 
it  was  intended  to  do,”  said 
Mike  Meidel,  director  of 
Pinellas  County  Economic 
Development.  Nielsen  could 
have  built  its  technology 
center  somewhere  else, 
Meidel  said,  adding  that  the 
company  still  has  enough 
employees  in  Oldsmar  to 
qualify  for  the  tax  breaks. 

—  Patrick  Thibodeau 


VMware 
Replaces 
CEO  Greene 

VMware  Inc.  last  week 
ousted  CEO  Diane  Greene 
and  replaced  her  with 
Paul  Maritz,  a  former  top 
executive  at  Microsoft 
Corp.,  which  is  posing  a 
new  challenge  to  VMware’s 
dominance  of  the  server 
virtualization  market. 

VMware  also  warned 
that  its  revenue  will  likely 
be  “modestly  below”  ex¬ 
pectations  this  year.  But  a 
spokesman  for  EMC  Corp., 
the  virtualization  vendor’s 
majority  owner,  said  that 
Greene’s  departure  wasn’t 
prompted  by  any  “single 
event  or  market  dynamic.” 

Greene  co-founded  VMware 
in  1998  and  had  run  it  since 
then.  But  Gartner  Inc.  ana¬ 
lyst  Thomas  Bittman  said  that 
with  Microsoft  now  pushing 
its  Hyper-V  software,  “it’s 
going  to  be  a  very  different 
market”  for  VMware. 

-  LUCAS  MEARIAN,  WITH 
THE  IDG  NEWS  SERVICE 
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IBM  System  x3550  Express 

$2,205 


OR  S56/MONTH  FOR  36  MONTHS' 

IBM  System  x3550™  Express.  It’s  designed  to  stay  up  and 
running  and  help  reduce  system  downtime.  In  fact,  it  can 
even  identify  a  potential  problem  before  it  becomes  one. 
And  if  you  ever  have  to  replace  a  component,  you  can  do 
that  without  having  to  shut  down.  Just  one  more  way  the 
x3550  Express  keeps  downtime  down. 

From  the  people  and  Business  Partners  of  IBM. 

It’s  innovation  made  easy. 


RUN  YOUR  CRITICAL  APPLICATIONS  WITH  CONFIDENCE. 


PN:  7978EJU _ 

Featuring  up  to  two  Quad-Core  Intel®  Xeon®  Processors  E5430  2.66GHz 
Hot-swap  redundant  cooling  for  high  availability 
Includes  IBM  Director  and  PowerExecutive  to  help  manage  power 
consumption,  increase  uptime,  reduce  costs  and  improve  productivity 
3-year  on-site  limited  warranty2  on  parts  and  labor 


IBM  SYSTEM  STORAGE™  IBM  TIVOLI"  CONTINUOUS  DATA  PROTECTION  FOR  FILES 

DS3400  EXPRESS  KIT 

$13,793 

OR  S352/MONTH  FOR  36  MONTHS1 


PN:  1 726-42 U  PN:  D613ALL _ 

All-in-one  kit  makes  it  easier  to  migrate  from  your  DAS  network  to  SAN _  Save  and  recovery  technology  enables  file  recovery  to  any  point  in  time _ 

Includes  IBM  System  Storage  DS3400  Dual  Controller,  four  IBM  Emulex  42C2069  Continuous  Data  Protection  (CDP)  protects  your  data  from  the  aftermath  of  a  virus 

4Gb/s  PCI  Express  HBAs,  Brocade  SAN  8  Port  Fibre  Channel  switch  (16  total  attack  or  user  error _  _  _ _ 

ports),  twelve  4Gb/s  SFPs,  and  eight  5-meter  optical  LC  cables _ Up  to  3  backup/replication  areas  help  protect  against  corruption,  file  loss  or 

Emulex  EZ  Pilot™  installation/management  software  included  system  loss 


$42  per  user 


COMPLIMENTARY  SYSTEMS  ADVISOR  TOOL 

=  =-r  ==f=  express 

TV.  itTt  to  find  the  right  server  or  storage  system  for  you? 

Our  Systems  Advisor  Too!  can  help.  Just  give  the  tool  a  little 

•  advantage™ 

input,  and  it  will  identify  products  that  can  help  meet  your 

ibm.com/systems/uptime 

business  needs.  Get  started  now  at  ibm.com/systems/uptime 

1  866-872-3902  (mention  6N8AH04A) 

1.  IBM  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  payments  provided  are  for  planning  purposes 
only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice. 

2.  IBM  hardware  products  are  manufactured  from  new  parts,  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit  ibm.com/servers/support/machine.  warranties  or  write  to.  Warranty 
Information.  P.0.  Box  12195,  RTP,  NC  27709,  Attn  Dept.  JDJA/8203.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services,  including  those  designated  as  Serve, rP raven*  or  ClusterProven*  Telephone  support  may  be  subject 
to  additional  charges.  For  on-site  labor.  IBM  will  attempt  to  diagnose  and  resolve  the  problem  remotely  before  sending  a  technician.  On-site  warranty  is  available  only  for  selected  components.  Optional  same-day  service  response  is  available  Ion  select 
systems!  at  an  additional  charge.  IBM,  the  IBM  logo,  IBM  Express  Advantage.  System  x  and  System  Storage  are  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  For  a  complete  list  ot  IBM  Trademarks, 
see  ibm.com  legal/copytrade  shtmi  Intel,  the  inlet  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries.  All  other  products  may  tie  trademarks  or  registered  trademarks  ot  their  respective 
companies.  All  prices  and  savings  estimates  are  based  upon  IBM's  estimated  retail  selling  prices  as  ot  03/24/2008.  Prices  and  actual  savings  may  vary  according  to  configuration.  Resellers  set  their  own  prices,  so  reseller  prices  and  actual  savtogs  to  end 
users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United  States.  IBM  may  no!  offer  the  products,  features,  or  services  discussed  in  this  document  in  other  countries.  Prices  are  subject  to  change  without 
notice.  Starting  price  may  not  include  a  hard  drive,  operating  system  or  other  features.  Contact  your  IBM  representative  or  IBM  Business  Partner  tor  the  most  current  pricing  in  your  geographic  area.  ©  2008  IBM  Corporation.  All  rights  reserved 
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HARDWARE 

EPA  to  Start  Small  on 
Energy  Star  for  Servers 


The  u.s.  En¬ 
vironmental 
Protection 
Agency  expects  to 
introduce  its  first 
Energy  Star  rat¬ 
ing  for  servers  by 
year’s  end,  though 
a  more  compre¬ 
hensive  system 
that  measures  the 
energy  consumed 
by  actual  work¬ 
loads  will  take  lon¬ 
ger  to  develop. 

The  Energy  Star 
program  is  de¬ 
signed  to  make  it 
easier  for  custom¬ 
ers  to  compare  the 
energy  efficiency 
of  different  products.  Rat¬ 
ings  are  available  for  more 
than  50  types  of  products, 
including  desktop  PCs, 
monitors,  ceiling  fans  and 
even  windows.  But  the 
server  rating  system  has 
been  difficult  to  develop. 

“This  server  program 
is  one  of  the  most  compli¬ 
cated  we’ve  tried  to  deal 
with,”  said  Arthur  Howard, 
an  associate  at  ICF  Inter¬ 
national  Inc.,  a  Fairfax,  Va., 


firm  that  provides 
technical  consult¬ 
ing  to  the  EPA  on 
the  Energy  Star 
initiative. 

That’s  partly 
because  servers 
are  used  for  so 
many  different 
workloads.  Hard¬ 
ware  makers  say 
a  benchmark  test 
that  measures 
energy  efficiency 
on  one  type  of 
workload,  such  as 
file  serving,  won’t 
provide  meaning¬ 
ful  results  to  buy¬ 
ers  looking  to  use 
systems  for  other 
applications,  such  as  trans¬ 
action  processing. 

After  Congress  pushed 
the  EPA  to  promote  the 
adoption  of  more  energy- 
efficient  servers  in  2006, 
the  agency  quickly  deter¬ 
mined  that  it  wouldn’t  be 
able  to  get  server  vendors 
to  agree  anytime  soon  on  a 
way  to  measure  the  “useful 
work”  a  system  can  per¬ 
form  with  a  given  amount 
of  power,  said  Andrew  Fa- 


nara,  who  heads  the  Energy 
Star  product  development 
team  at  the  EPA. 

The  EPA  hopes  to  use 
energy  efficiency  tests 
developed  by  Standard 
Performance  Evaluation 
Corp.,  a  nonprofit  company 
that  creates  performance 
benchmarks  for  servers. 
Thus  far,  though,  SPEC 
has  published  only  one  test 
suite,  for  measuring  the 
energy  consumed  by  serv¬ 
ers  running  a  Java-based 
application  workload.  The 
group  hasn’t  said  when  it 
will  add  benchmarks  for 
other  types  of  workloads. 

The  EPA  decided  to  side¬ 
step  the  issue  and  come 
up  with  an  initial  “Tier  1” 
rating  system  for  two  key 
areas  it  thinks  can  be  mea¬ 
sured.  One  is  the  efficiency 
of  a  server’s  power  supply, 
as  measured  at  various  load 
levels;  the  other  is  how 
much  power  a  server  con¬ 
sumes  while  it’s  idle. 

But  the  EPA  may  have  its 
work  cut  out  for  it,  even  on 
the  Tier  1  spec.  For  exam¬ 
ple,  Mark  Monroe,  director 
of  sustainable  computing 
at  Sun  Microsystems  Inc., 
posed  a  question  that  has 
yet  to  be  answered:  “What’s 
the  definition  of  idle?” 

—  James  Niccolai, 

IDG  News  Service 


Apple  Ini  began  selling 
the  on  Friday, 

but  the  launch  wasn’t 
glitch-free.  In-store  acti¬ 
vations  in  the  U.S.  had  to 
be  suspended  because  us¬ 
ers  were  having  problems 
connecting  to  the  iTunes 
7.7  software  needed  to 
configure  the  device.  And 
sales  in  London  were  tem¬ 
porarily  delayed  because 
of  software-compatibility 
issues  with  the  activation 
system  of 

UK  Ltd.,  Apple’s  U  K.  car¬ 
rier  partner. 

Microsoft  Co 

Wednesday  released  a 
software  update  designed 
to  fix  a  problem  that 
blocks  PCs  running 
Office  2003  from  getting 
patches  via  its 

tool.  But  the  next  day,  the 
company  said  it  may  have 
to  revise  the  fix  because 
of  a  pair  of  install  and  un¬ 
install  problems. 

Mrcrosof  also  con¬ 
firmed  that  attackers 
are  actively  exploiting  an 
unpatched  bug  in 

.  But  the  company 
“is  aware  only  of  limited, 
targeted  attacks  that 
attempt  to  use  this  vulner¬ 
ability,”  a  spokesman  said. 


WEB  2.0 

Backers  Stage  Protest  on 
Obama’s  Social  Network 


IN  A  DEVELOPMENT  that 
shows  how  users  can  take 
Web  2.0  sites  in  unexpected 
directions,  a  group  of  Barack 
Obama  supporters  is  using  his 
presidential  campaign’s  official 
social  network  to  protest  the 
Illinois  senator’s  stance  on  a  bill 
extending  the  so-called  war¬ 
rantless  wiretapping  program. 


The  social  networking  group 
set  up  on  the  MyBarack- 
0bama.com  site  to  urge  Obama 
to  vote  against  the  extension  of 
the  Foreign  Intelligence  Surveil¬ 
lance  Act  (FISA)  had  attracted 
more  than  24,000  member 
entries  as  of  last  Friday, 
although  some  of  the  entries 
appeared  to  be  duplicates. 


“It’s  now  a  truism,”  wrote 
TechPresident.com  blogger 
Patrick  Ruffmi,  "that  when  pre¬ 
sented  with  an  open  platform, 
users  will  hack  it  to  serve  their 
purposes,  not  necessarily  those 


of  the  sponsor.” 

In  a  blog  post  of 
his  own,  Obama 
acknowledged  that 
he  is  “not  exempt” 
from  efforts  by  vot¬ 
ers  to  join  together 
and  “hold  their 
leaders  accountable.”  Despite 
the  online  protest,  though, 
Obama  voted  for  the  FISA  bill 
when  it  was  approved  by  the 
Senate  last  Wednesday. 

-  HEATHER  HAVENSTEIN 
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FITS  NICELY  WHERE  ALL  THOSE  SERVERS  USED  TO  BE. 


Igllt , 

'  i  ' 


The  virtualization  solution  that  brings  Windows®  Server  2008  and  SUSE®  Linux  Enterprise  Server  together  is  here. 
And  so  is  joint  customer  support  from  Microsoft®  and  Novell®.  So  you  can  run  two,  three  or  even  four  applications 
all  on  the  same  server  with  your  choice  of  operating  system  —  and  get  more  reliability,  flexibility,  efficiency  and 
utilization  than  ever  before.  All  with  clearly  defined  intellectual  property  rights  and  no  support  headaches. 


RUN  WITH  IT  AT  MOREINTEROP.COM 


Novell.  Microsoft* 


Copyright  ©  2008  Novell,  Inc.  and  Microsoft  Corporation  All  Rights  Reserved  Novell,  the  Novell  logo  and  SUSE  are  registered  trademarks  of  Novell.  Inc  in  the  United  States  and 
other  countries  4  Linux  is  a  registered  trademark  of  Linus  Torvalds  Microsoft  and  Windows  Server  are  trademarks  of  the  Microsoft  group  of  companies 
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LEGAL  ISSUES 

IT  Group  Claims  Former 
Official  Used  Pseudonym 
To  Discredit  It  in  Blogs 


HE  u.s.  chapter  of  the 
IT  Service  Manage¬ 
ment  Forum  has  filed  a 
defamation  lawsuit  against 
its  former  executive  direc¬ 
tor,  alleging  that  he  tried  to 
discredit  the  group  via  blog 
comments  posted  under  a 
fictitious  female  name. 

The  lawsuit  follows  an 
allegation  made  last  year 
by  someone  using  the  name 
“Julie  Linden,  Ph.D.”  that  an 
online  board  election  held  by 
the  ITSMF  USA  in  late  2006 
had  been  compromised. 

The  board  hired  Kroll  Inc. 
to  investigate  the  claim,  and 
the  consulting  firm  turned 
up  evidence  that  some  votes 
were  recorded  as  being  cast 
by  people  who  said  they 
didn’t  actually  vote. 

But  the  number  of  ap¬ 
parently  illegitimate  votes 
was  too  small  to  affect  the 
outcome  of  the  election,  ac¬ 
cording  to  ITSMF  officials. 

Now  the  group,  which 
promotes  the  use  of  stan¬ 
dards  such  as  the  Informa¬ 
tion  Technology  Infrastruc¬ 
ture  Library,  is  claiming  that 
“Julie  Linden”  and  James 
Prunty,  its  former  executive 


Ear  ier 
Developmei 


MAY  2007:  The  ITSMF  USA 
notifies  members  of  claims 
that  an  online  board  election 
in  2006  was  compromised. 
JULY  2007:  The  group’s 
president  says  an  outside 
investigation  found  “clear 
evidence”  of  a  small  number 
of  fraudulent  votes. 
SEPTEMBER  2007:  The 
same  official  says  the  vot¬ 
ing  fraud  may  have  been  an 
attempt  to  “embarrass  and 


director,  are  one  and  the 
same.  The  lawsuit,  filed  last 
month  in  a  California  state 
court,  seeks  hundreds  of 
thousands  of  dollars  in  dam¬ 
ages  from  Prunty,  who  left 
the  8,000-member  organiza¬ 
tion  last  year. 

In  the  lawsuit,  the  ITSMF 
USA  alleges  that  Prunty, 
making  blog  posts  under  the 
name  Linden,  disparaged 
the  organization  and  sug¬ 
gested  that  people  distance 
themselves  from  it.  The  le¬ 
gal  filings  don’t  suggest  any 
motives  for  the  attempts  to 
discredit  the  group. 

Prunty  has  yet  to  file  a 
response  to  the  lawsuit.  He 
declined  to  comment  on  the 
allegations  last  week. 

—  Patrick  Thibodeau 


Global 

Dispatches 

IT  Thefts  Stop 
Online  Presses 

LONDON  -  The  Financial  Times 
newspaper  was  temporar¬ 
ily  unable  to  post  stories  or 
update  content  on  its  Web  site 
last  Thursday,  following  a  theft 
of  servers  and  other  IT  equip¬ 
ment  from  a  hosting  facility 
run  by  Cable  &  Wireless  PLC. 

The  online  shopping  site  of 
grocer  J  Sainsbury  PLC  was 
also  affected  by  the  theft  at 
the  facility  in  Watford,  north 
of  London.  The  thieves  took 
servers,  routers,  switches  and 
optical  wiring,  although  police 
believe  they  were  seeking 
scrap  metal,  not  IT  gear  per  se. 

The  theft  forced  the  Finan¬ 
cial  Times  to  run  its  FT.com 
site  from  a  backup  facility  in 


BETWEEN  THE  LINES  By  John  Klossner 


released  a  beta 
version  of  an  API  that  other 
companies  can  use  to  de¬ 
velop  Yahoo-based  search 
services  for  their  Web  sites 
R  I  Google  Inc,  already 
offers  a  similar  capability. 

One  week  ifter  stopping 
most  sales  of  Windows  XP, 
licros:  made  its 


Service  Pack  3  update  avail¬ 
able  for  automatic  down¬ 
loads  via  Windows  Update. 

In  a 

prime  example  of  the  dot¬ 
com  bust’s  business  fail¬ 
ures,  online  grocer  Webvan 
Group  Inc.  shut  down  and 
said  it  would  file  for  Chapter 
11  bankruptcy  protection. 


the  U.S.  Full  functionality  was 
restored  by  midafternoon  on 
Thursday;  Sainsbury’s  site  was 
also  restored  that  afternoon. 

Cable  &  Wireless  wouldn’t 
say  how  the  theft  occurred. 
Mike  Simons, 

Computerworld  U.K. 


with  the  EC  about  the  deal  as  a 
courtesy. 

The  U.S.  Department  of 
Justice  has  launched  an  in¬ 
vestigation  into  the  antitrust 
implications  of  the  partnership. 
Linda  Rosencrance, 
Computerworld 


Yahoo  Alerts  EC 
To  Google  Deal 

Yahoo  Inc.  has  notified  Euro¬ 
pean  antitrust  regulators  about 
the  search-advertising  deal  it 
signed  with  Google  Inc.  last 
month,  even  though  the  agree¬ 
ment  applies  only  to  its  Web 
sites  in  the  U.S.  and  Canada. 

A  Yahoo  spokeswoman  said 
via  e-mail  that  the  company 
decided  to  provide  information 
about  the  deal  to  the  European 
Commission  out  of  a  “spirit  of 
cooperation,”  and  to  educate 
the  EC  on  the  agreement. 

A  spokesman  for  Google 
said  it  has  also  been  in  touch 


BRIERY  NOTED 

British  Airways  PLC  said  that 
its  high-tech  baggage  system 
isn’t  at  fault  for  nearly  a  thou¬ 
sand  pieces  of  luggage  being 
delayed  or  misplaced  daily  at 
a  Heathrow  Airport  terminal 
used  exclusively  by  the  airline. 
BA  blamed  other  airlines  for 
not  delivering  the  bags  of  inter¬ 
connecting  passengers  in  time 
to  load  onto  its  planes. 

Leo  King,  Computer- 
world  U.K. 
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Are  you  controlling  your  servers,  or  are  they  controlling  you? 

It's  time  for  virtualization  from  CDW. 


Sun  Fire  x4150  Rack-mount  Server 


Sun  SAS  Internal  Hard  Drives 


VMware  Virtual  Desktop  Infrastructure 


•  Quad-Core  Intel  Xeon  Processor  L5335  (2GHz) 

•  Memory:  4GB  std.,  64GB  max.  (PC2-5300) 

•  Hard  drives:  none  ship  std.;  six  hot-swappable  SATA 
disk  drive  bays  available 

•  16MB  Level  2  Cache 

•  Four  integrated  10/100/1000BASE-T  Ethernet  ports 


•  For  Sun  Fire  x4150  servers 

73GB,  10,000  rpm  $261.99  CDW  1312446 
146GB,  10,000  rpm  $332.99  CDW  1311622 


•  Extends  powerful  VMware  Infrastructure  3 
capabilities  such  as  business  continuity  and  disaster 
recovery  to  your  desktops 

•  Streamlines  desktop  management  to  reduce 
operating  costs  and  increase  control 

•  Delivers  complete  desktop  environments  with 
greater  application  compatibility 


Vi'pn 


Powerful 

efficient. 


53389" 

CDW  1385688 


Sun 


vmware  Call  CDW  for  pricing 

CDW  1393645 


We're  there  with  the  server  virtualization  solutions  you  need. 

It's  time  to  end  the  server  sprawl.  CDW  can  help  you  run  all  your  operating  systems  and  applications  from  a 
single  virtual  server.  Not  only  does  that  free  up  space  and  lower  costs,  it  also  reduces  IT  management.  Our 
technology  specialists  can  recommend  the  right  virtualization  solution  for  your  business.  And  our  custom 
configuration  services  will  set  up  your  technology  to  your  specifications.  So  call  CDW  today,  and  finally  put 
your  servers  in  their  place. 


CDW.com 


800.399.4CDW 


Sun,  Sun  Microsystems,  the  Sun  Logo  and  Sun  Fire  are  trademarks  or  registered  trademarks  of  Sun  Microsystems,  Inc.  in  the  United  States  and  other  countries.  Offer  subject  to 
C  DW  s  standard  terms  and  conditions  of  sale,  available  at  C DW.com.  ©2008  CDW  Corporation 
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DNS  Hole 

Doesn’t  Go 
Unnoticed 

A  flaw  in  the  DNS  protocol 
didn’t  merit  Microsoft’s 
highest  severity  rating.  But 
it’s  certainly  getting  a  lot  of 
attention.  By  Jaikumar  Vijayan 


A  SOFTWARE  PATCH 
released  by  Micro¬ 
soft  Corp.  to  plug  a 
hole  in  the  Domain 
Name  System  protocol  was 
just  one  of  nine  security 
fixes  the  company  issued 
last  week.  And  like  the  oth¬ 
ers,  the  DNS  patch  got  only 
an  “important”  severity  rat¬ 
ing,  one  step  below  Micro¬ 
soft’s  top  rating  of  “critical.” 
But  that  belies  the  amount 


of  attention  that  the  DNS 
vulnerability  is  attracting. 
The  discovery  of  the  cache¬ 
poisoning  flaw  earlier  this 
year  prompted  a  rare  syn¬ 
chronized  patching  effort 
involving  Microsoft,  Cisco 
Systems  Inc.  and  other  ven¬ 
dors.  And  the  disclosure  of 
the  vulnerability  last  week 
was  accompanied  by  a  cho¬ 
rus  of  calls  for  IT  managers 
to  patch  or  upgrade  their 


DNS  servers  —  pronto.  (See 
“Fix  DNS  Now,”  page  48.) 

For  instance,  Paul  Mocka- 
petris,  who  invented  the  DNS 
architecture  for  directing 
traffic  on  the  Internet,  said 
the  time  to  act  is  now,  before 
exploits  of  the  flaw  become 
widely  available.  “The  clock 
is  ticking,”  said  Mockape- 
tris,  who  is  chairman  and 
chief  scientist  at  Nominum 
Inc.  —  a  name  server  vendor 
that  was  among  the  compa¬ 
nies  issuing  fixes  for  the  flaw. 

The  urgency  is  being 
fueled  by  the  fact  that  the 
vulnerability  is  a  fundamen¬ 
tal  design  flaw  in  the  DNS 
protocol.  In  addition,  Dan 
Kaminsky,  the  researcher 
at  security  services  firm 
IO Active  Inc.  who  found  the 
cache-poisoning  problem, 
plans  to  detail  it  at  the  Black 
Hat  USA  2008  security  con¬ 
ference  next  month. 

David  Jordan,  chief  in¬ 
formation  security  officer 
for  the  Arlington  County 
government  in  Virginia, 
wouldn’t  specify  what  mea¬ 
sures  the  county  took  after 
learning  of  the  DNS  flaw 
from  an  alert  issued  by  the 
U.S.  Computer  Emergency 
Readiness  Team.  But  he  said 
that  patches  deemed  to  be 
critical  get  treated  as  such 
by  the  county’s  IT  staff, 

“They  go  to  the  front  of 
the  queue,”  Jordan  said, 
adding  that  the  county  “sig¬ 
nificantly”  increases  its  net¬ 
work  monitoring  until  such 
patches  are  put  in  place. 

Kaminsky  said  that  vir¬ 
tually  every  domain  name 
server  resolving  IP  addresses 
on  the  Internet  is  vulnerable 
to  the  DNS  flaw,  which  could 
enable  attackers  to  redirect 
Web  traffic  and  e-mails  to 
systems  they  control. 

The  US-CERT  advisory 
listed  more  than  80  vendors 
whose  products  might  be 
affected.  A  few  have  since 
reported  that  their  software 


isn’t  vulnerable  to  the  flaw, 
but  companies  such  as  Red 
Hat  Inc.  and  Sun  Microsys¬ 
tems  Inc.  joined  Microsoft 
and  Cisco  in  issuing  fixes. 

Both  Red  Hat  and  Sun  dis¬ 
tribute  the  Berkeley  Internet 
Name  Domain  technology,  a 
widely  used  DNS  implemen¬ 
tation  developed  by  Internet 
Systems  Consortium  Inc. 
ISC  released  patches  for  sev¬ 
eral  versions  of  BIND  and 
urged  users  of  older  releases 
to  upgrade  their  systems. 

The  type  of  flaw  Kamin¬ 
sky  found  isn’t  new;  several 
other  security  researchers 
had  previously  discovered 
similar  cache-poisoning  vul¬ 
nerabilities  in  the  DNS,  ac¬ 
cording  to  the  US-CERT  ad¬ 
visory.  Attackers  can  exploit 
such  flaws  to  determine 
the  numerical  identifiers 
randomly  assigned  to  DNS 
packets;  doing  so  gives  them 
a  chance  to  inject  forged 
code  and  spoof  DNS  traffic. 

But  the  new  vulnerability 
Kaminsky  found  is  so  seri¬ 
ous  because  it  appears  to 
offer  a  far  more  effective 
means  of  guessing  packet 
identifiers  than  any  flaws 
found  earlier.  “Someone 
using  this  technique  can 
poison  a  caching  server  in 
about  10  to  20  minutes,” 
Mockapetris  said. 

Joao  Damas,  a  senior  pro¬ 
gram  manager  at  ISC,  said 
the  patches  that  vendors 
are  issuing  are  designed 
to  add  more  randomness 
to  the  process  of  assigning 
the  identifiers  to  packets, 
in  order  to  make  it  harder 
to  guess  the  numbers.  “In¬ 
creasing  forgery  resilience 
is  the  way  we  are  trying  to 
do  this,”  Damas  said. 

The  patches  are  also  be¬ 
ing  crafted  to  minimize  the 
chances  that  attackers  could 
reverse-engineer  them,  Ka¬ 
minsky  said.  But  he  predict¬ 
ed  that  exploits  of  the  flaw 
will  still  be  developed.  ■ 
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QUO 


It's  time  to  move  to  the  future 
with  the  hardware  you've  got. 

When  moving  to  VoIP,  ripping  and 
replacing  used  to  be  the  only  way.  Now, 
it's  the  out-of-date  way.  That's  because 
it's  no  longer  about  hardware. 

It's  actually  about  software. 

Now  you  can  keep  your  hardware — 
your  PBX,  your  gateways,  even  your 
phones.  Simply  move  to  VoIP  with 
software.  Software  that  integrates  with 
Active  Directory®  Microsoft®Office, 
Microsoft  Exchange  Server,  and  your  PBX. 

Maximize  your  current  PBX 
investment  and  make  it  part  of  your 
new  software-based  VoIP  solution 
from  Microsoft.  You're  much  closer  to 
VoIP  than  you  realize.  Learn  more  at 
microsoft.com/voip 


Your  potential.  Our  passion .* 

Microsoft 
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Seven  Years 
And  Counting: 

National  Disease- 
Tracking  System 
Still  Unfinished 

A  dozen  states  have  yet  to 
install  technology  needed  to 
enable  public  health  officials 
to  monitor  disease  outbreaks 
via  the  Web.  By  Todd  R.  Weiss 


YOU  MIGHT 
think  that  in 
the  event  of  a 
major  epidemic 
across  the  U.S., 
public  health  officials  at  the 
federal,  state  and  local  levels 
could  track  the  outbreak 
electronically,  using  real¬ 
time  data  to  try  to  control 
the  spread  of  the  disease. 

But  you’d  be  wrong. 

An  effort  to  develop  those 
capabilities  has  been  under 
way  since  2001  through  the 
U.S.  Centers  for  Disease 
Control  and  Prevention. 

The  CDC  is  pushing  the 
adoption  of  a  Web-based 
system  designed  to  give  it 
and  other  health  agencies 
nationwide  rapid  access  to 
information  about  outbreaks 
of  infectious  diseases.  Lo¬ 
cal  and  state  health  officials 
who  are  using  the  system 
can  submit  case  reports  to 
the  CDC  more  quickly  than 
they  could  before,  and  they 
are  eventually  supposed  to 
be  able  to  view  data  from 
other  jurisdictions  online. 
Seven  years  after  the 


CDC  launched  the  initiative, 
though,  the  National  Elec¬ 
tronic  Disease  Surveillance 
System  has  yet  to  be  com¬ 
pleted.  At  this  point,  only  38 
of  the  50  states,  plus  the  Dis¬ 
trict  of  Columbia,  are  fully 
compliant  with  the  technical 
requirements  of  NEDSS. 

As  a  result,  the  data  be¬ 
ing  input  into  the  fledgling 
system  is  far  from  complete. 
And  for  now,  information  is 
flowing  only  in  one  direc¬ 
tion  —  from  local  and  state 
health  agencies  to  the  CDC. 
Until  NEDSS  is  finished, 
state  and  local  health  of¬ 
ficials  can’t  go  into  the  system 
and  see  what’s  happening 
across  the  nation,  limiting 
their  ability  to  monitor  the 


spread  of  diseases. 

The  slow  progress  on 
NEDSS  is  forcing  health 
agencies  to  continue  rely¬ 
ing  on  an  existing  system  in 
which  disease  reports  are 
manually  entered  into  state- 
level  databases  and  then 
transmitted  to  the  CDC  on  a 
weekly  basis. 

For  many  health  officials, 
the  continuing  inability  to 
track  outbreaks  in  real  time 
is  a  source  of  both  frustra¬ 
tion  and  public-safety  con¬ 
cerns. 

“As  a  nation,  we  should  be 
astounded  that  this  capacity 
doesn’t  exist,”  said  Dr.  Scott 
McNabb,  an  epidemiolo¬ 
gist  who  heads  the  NEDSS 
program  in  his  job  as  direc¬ 
tor  of  the  CDC’s  Division 
of  Integrated  Surveillance 
Systems  and  Services.  “It 
should  be  a  call  for  action.” 

McNabb  described  the  ca¬ 
pabilities  of  NEDSS  as  “ab¬ 
solutely  mission-critical”  for 
health  officials.  “With  dis¬ 
ease  outbreaks,  if  local  and 
state  health  departments 
are  able  to  identify  them 
quicker,  then  we  are  able 
to  prevent  future  cases,”  he 
said.  “But  if  we  don’t  iden¬ 
tify  cases  in  a  timely  way, 
then  people  are  at  risk.” 

Efforts  to  get  the  12  re¬ 
maining  states  to  finish  their 
NEDSS  compliance  work 
are  progressing,  McNabb 
said,  adding  that  he  hopes 
to  have  all  of  them  on  board 
by  next  July.  Six  of  the  states 
have  only  one  of  the  three 
criteria  left  to  meet,  while 
California,  Connecticut  and 


Utah  have  yet  to  comply 
with  any  of  the  require¬ 
ments  (see  map,  next  page). 

One  of  the  major  causes 
of  the  delays  in  completing 
NEDSS  has  been  a  shortage 
of  federal  funding  for  the 
project.  The  CDC  has  been 
receiving  just  $24.7  million 
annually  for  NEDSS,  much 
of  which  the  agency  passes 
on  to  the  states.  A  bill  before 
Congress  would  provide 
$2.5  billion  over  five  years 
to  complete  the  system 
and  pay  for  new  hardware 
needed  to  make  it  more 
functional,  but  no  action  has 
been  taken  on  that  measure. 

Also,  even  CDC  officials 
acknowledge  that  NEDSS 
requires  a  major  effort  on 
the  part  of  the  states,  partly 
because  it  involves  more 
complex  data  than  they  had 
to  work  with  in  the  past. 

Before,  infectious  disease 
cases  were  reported  individ¬ 
ually  and  didn’t  automatical¬ 
ly  get  grouped  in  a  database. 
With  NEDSS,  states  will 
combine  their  reports  into 
integrated  data  repositories, 
giving  users  a  fuller  picture 
of  what  is  happening  region¬ 
ally  and  nationally  —  but 
also  imposing  new  data- 
management  requirements. 

“It  is  a  giant  difference, 
and  a  tremendous  challenge, 
on  the  informatics  side  be¬ 
cause  it  means  you’re  now 
dealing  in  the  relational 
database  area,  not  just  a  flat 
file,”  McNabb  said. 

Another  complicating  fac¬ 
tor  is  that  there’s  no  single 
technology  that  the  states 


Compliance  Criteria 


Integrated  data  n  tository 


Electronic  lab-result  messaging 


Web-based  software 
States  meeting  Criteria  1,  2  and  3 


NOV. ’05  NOV. '06 


-w, 

ftswi 


NOV.  07 


SOURCE:  NATIONAL  CENTER  FOR  PUBLIC  HEALTH  INFORMATICS.  CENTERS  FOR  DISEASE  CONTROL  AND  PREVENTION 
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The 
Last  12 
States 


These  states  still  need  to  achieve 
compliance  with  one  or  more  of 
N-H-  fl^the  three  NEDSS  criteria:  an  inte- 
grated  data  repository  (IDR),  elec- 
UarTL  MMf  tronic  lab-result  (ELR)  messaging, 

'Jfelly  and  Web-based  accessibility. 

tlfllp  Alaska:  IDR  and  Web  support 

Conn.  Arizona:  ELR 

Arkansas:" ELR~ . 

California:  three 
Connecticut:  All  three 
Iowa:  ELR  ~  " 

Hf  Kansas":  ELR 

Minnesota:  IDR  and  Web  support 
Mississippi:  IDR  and  Web  support 
New  Hampshire:  ELR 
Utah:  Ali  three 

Wyoming:  ELR  ! 


need  to  deploy.  The  CDC 
offers  the  free  NEDSS  Base 
System,  which  is  built  on 
top  of  Java  and  uses  Red 
Hat  Inc.’s  JBoss  application 
server  software.  But  states 
can  build  their  own  applica¬ 
tions  or  buy  them  from  the 
handful  of  vendors  that  sell 
NEDSS-compliant  products, 
as  long  as  the  software  is 
browser-based  and  meets 
interoperability  standards 
for  data  storage  and  messag¬ 
ing  of  electronic  laboratory 
results. 

Only  16  states  are  using 
the  CDC-supplied  system, 
which  was  developed  for 
the  agency  by  Computer 
Sciences  Corp.  and  first 
became  available  in  2002. 
The  low  adoption  rate  is  fine 
by  McNabb,  who  said  that 
forcing  a  monolithic  system 
on  the  states  wouldn’t  have 
worked.  “Nobody  would 
accept  it,”  he  noted.  “We 
want  it  to  be  from  the  grass 
roots  up,  not  the  top  down.” 

One  promising  develop¬ 
ment,  according  to  McNabb, 
is  that  the  Collaborative 
Software  Initiative  (CSI)  in 
Portland,  Ore.,  has  created 
an  open-source  NEDSS  ap¬ 
plication  as  part  of  a  project 
that  includes  Utah’s  health 
and  technology  services  de¬ 


partments.  An  open-source 
option  could  make  it  easier 
for  states  to  collaborate  on 
development  of  NEDSS 
software  or  enable  them  to 
modify  the  code  to  meet 
their  needs,  McNabb  said. 

MISSING  CONNECTIONS 

Dr.  Robert  Rolfs,  state  epi¬ 
demiologist  at  the  Utah  De¬ 
partment  of  Health,  said  the 
agency  began  working  with 
CSI  last  November  after  its 
original  NEDSS  software 
vendor  went  out  of  business. 
A  deployment  of  the  open- 
source  technology  is  about 
half  complete,  Rolfs  said, 
adding  that  NEDSS  will  re¬ 
place  a  system  that  doesn’t 
directly  connect  Utah’s  local 
public  health  offices  to  one 
another  or  to  the  state. 

The  problem  with  the 
existing  setup  is  that  disease 
reports  may  be  received 
by  either  the  state  health 
department  or  county  agen¬ 
cies,  some  of  which  may  not 
even  enter  the  information 
into  a  computer.  “What  we 
need  is  to  connect  the  locals 
to  the  state  to  the  CDC,  so 
everybody  is  part  of  the 
same  grid,”  Rolfs  said. 

Rolfs  is  among  the  health 
officials  who  have  been  frus¬ 
trated  with  the  slow  pace  of 


the  national  NEDSS  rollout. 
But  he  said  he  understands 
that  it’s  a  large  undertaking 
because  of  the  involvement 
of  all  the  states  as  well  as 
the  2,000  or  so  local  health 
agencies  in  the  U.S.  And 
once  NEDSS  is  finally  com¬ 
pleted,  he  expects  the  ben¬ 
efits  to  be  worth  the  effort. 

Currently,  “we  find  a  way 
to  get  things  done,”  Rolfs 
said.  But,  he  added,  NEDSS 
will  enable  public  health 
officials  to  work  more  effi¬ 
ciently  and  to  do  things  that 
aren’t  possible  now. 

Initially,  NEDSS  won’t  be 
used  to  monitor  all  infec¬ 
tious  diseases.  For  example, 
the  system  will  track  cases 
of  E.  coli,  salmonella,  strep 
and  tuberculosis  that  are 
reported  to  state  and  local 
health  agencies,  but  it  won’t 
be  used  at  first  for  reporting 
incidents  of  sexually  trans¬ 
mitted  diseases  or  HIV  in¬ 
fections  and  cases  of  AIDS. 

Long-term  plans  also  call 
for  NEDSS  to  be  integrated 
with  electronic  medical 
records  systems  and  other 
incident-tracking  technolo¬ 
gies,  such  as  the  U.S.  Food 
and  Drug  Administration’s 
food-safety  monitoring  ap¬ 
plications.  That  would  give 
NEDSS  users  broader  data- 


analysis  capabilities  but 
would  require  many  more 
steps,  including  the  develop¬ 
ment  of  stringent  data  secu¬ 
rity  and  privacy  protections 
for  medical  records. 

For  now,  Dr.  Marion 
Kainer,  a  medical  epidemi¬ 
ologist  at  the  Tennessee  De¬ 
partment  of  Health,  which 
has  been  using  the  CDC’s 
NEDSS  software  since  April 
2004,  is  looking  forward  to 
simply  being  able  to  use  the 
system  to  access  disease  in¬ 
formation  from  other  states. 

“But  it  takes  a  lot  of  re¬ 
sources  to  get  there,”  Kainer 
cautioned.  In  addition  to 
more  money,  what’s  needed 
to  speed  up  the  transition  to 
NEDSS,  she  said,  are  work¬ 
ers  who  are  trained  in  both 
public  health  informatics 
and  IT,  so  they  can  tell  IT 
departments  exactly  what  is 
required. 

Kainer  added  that  she 
isn’t  fazed  by  the  fact  that 
the  50  states  are  using  a 
range  of  software  to  connect 
to  NEDSS.  Although  that 
complicates  things  a  bit,  “if 
everybody  adheres  to  stan¬ 
dards,  we  can  get  there,”  she 
said.  “If  everybody  just  goes 
and  develops  their  own  vo¬ 
cabulary,  we’ll  be  where  we 
are  for  a  long,  long  time.”  ■ 
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On  die  Mark 

HOT  TRENDS  ■  NEW  PRODUCT  NEWS  ■  INDUSTRY  BUZZ  BY  MARK  HALL 


End  IT’s  Data  Deficit 

rT’S  HARD  TO  IMAGINE  a  data  deficit  in  the  CIO’s  office,  given 
the  reams  of  reports  spewing  out  of  IT.  But  Ray  Homan  argues 
||  that  there  is  one. 

Homan  is  the  CEO  of  BDNA  Corp.  in  Mountain  View,  Calif., 
which  supplies  —  you  guessed  it  —  more  information  to  IT.  But 
this  might  be  just  the  data  you’ve  been  missing. 


BDNA’s  Insight  software  discovers 
assets  on  your  network  and  can  tell 
you  interesting  tidbits  —  for  example, 
the  date  when  a  vendor  plans  to  cease 
supporting  a  critical  application’s  un¬ 
derlying  operating  system,  or  which 
systems  encrypt  data  at  rest. 

What’s  more,  Homan  claims,  after 
the  software  classifies  what  it  finds 
through  its  “fingerprint  library”  of 
IT  system  data,  you  can  group  assets 
according  to  your  needs.  That  is,  sys¬ 
tems  can  be  gathered  by  department, 
division,  project  or 
vendor,  or  you  can 
mix  and  match.  So, 
you  could  create  a 
grouping  to  track 
test  servers  in  your 
engineering  divi¬ 
sion  that  are  slated 
to  be  virtualized. 

Available  now, 
Insight  Version  5 


lets  you  follow  a  project  over  time. 
It’s  also  available  as  a  service,  start¬ 
ing  at  around  $100,000  per  year. 

Collaborate  on  Services 

If  you’re  following  a  service-oriented 
architecture  development  model, 
you  need  fluid  collaboration  at  every 
step.  The  folks  at  Active  Endpoints 
Inc.  in  Waltham,  Mass.,  think  their 
product  will  cover  all  your  SOA 
bases. 

Alex  Neihaus,  vice  president  of 
marketing,  says  ActiveVOS  (for  Vi¬ 
sual  Orchestration  System)  adheres 
strictly  to  Web  services  standards, 
such  as  Business  Process  Execu¬ 
tion  Language  (BPEL)  and  Business 
Process  Modeling  Notation  (BPMN). 
Business  analysts  can  use  their  own 
BPMN  standard  approach  to  visual¬ 
ize  a  process,  then  send  it  to  IT  for 
coding,  where  it  appears  in  the  BPEL 
format  standard.  After  the  coder 


A  data  shortage 
in  IT?  You  bet, 
claims  Homan. 


makes  changes  in  his  BPEL  view, 
the  business  side  gets  a  BPMN  view 
once  again. 

According  to  product  manager 
Mike  Moniz,  ActiveVOS  is  100% 
compliant  with  the  BPEL  1.1  and  2.0 
standards  and  runs  on  almost  any 
app  server.  He  says  the  BPMN  mod¬ 
ule  gives  business  analysts  every¬ 
thing  they  need  to  model  a  business 
process,  from  data  flows  and  swim 
lanes  to  key  performance  indicators. 

ActiveVOS  5.5  will  include  support 
for  complex  event  processing  when  it 
ships  in  mid-August.  Pricing  starts  at 
$10,000  for  a  production  server  and 
$4,000  for  a  development  package. 


25%+ 

Percentage  of 
legacy-sawy  baby 
boomers  who  will 
retire  by  2011, 
says  Gartner  Inc. 


Bye-bye,  i 

IBM  once  sold  something  called 
the  System/38,  which  begat  the 
AS/400,  which  led  to  the  iSeries, 
which  became  System  i,  which 
shrank  to  i5.  Now 
the  company  offers 
you  a  single,  pathet¬ 
ic  vowel,  the  i. 

The  IBM  i. 

Letters  aren’t  all 
the  i  is  losing.  Da¬ 
vid  Leichner,  chief 
marketing  officer  at  BluePhoenix  So¬ 
lutions  in  Cary,  N.C.,  says  the  legacy 
technology  is  losing  market  share, 
even  among  supporters.  A  survey 
last  month  of  the  membership  of 
Common,  the  largest  user  group  for  i 
technology,  showed  that  a  mere  23% 
planned  to  move  to  the  latest  Power 
Systems  hardware  to  run  the  i  OS. 

Leichner  says  the  most  active  part 
of  his  company’s  legacy-migration 
business  is  moving  old  RPG-based  i 
stuff  to  .Net  or  Java  just  because  it’s 
too  risky  to  keep  alive. 

The  risk  comes  from  the  retire¬ 
ment  of  baby  boomers,  the  only  ones 
who  understand  the  poorly  docu¬ 
mented  code,  Leichner  claims,  and 
who  know  how  to  patch  the  pack¬ 
aged  software  that  probably  was  the 
reason  you  bought  the  IBM  gear  in 
the  first  place. 

Leichner  acknowledges  that  legacy 
migrations  are  neither  fun 
nor  cheap.  “No  CIO  will  do 


it  unless  they  have  to,”  he 
acknowledges. 

But  he’s  betting  you’ll 
have  to.  Demographics  are 
on  his  side.  ■ 


0  MORE  BUZZ 

Discover  and  discuss 
more  industry  action  at 
the  On  the  Mark  blog: 

blogs.computerworld. 

com/hall 
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When  You 
Need  It  Most 


SunGard  Availability  Services  help  your  business  move  forward  with 
the  most  advanced  and  widest  choice  of  information  availability  options 
in  the  industry 

From  virtualization  to  hot  sites  to  replication  and  vaulting— SunGard  Availability  Services 
does  it  all.  And  it’s  all  we  do.  That  kind  of  focus  helps  ensure  high  availability  of  data, 
applications  and  systems  and  fits  your  needs  and  budget  precisely. 

When  we  partner  with  you,  you  worry  less  about  the  road  ahead.  Here’s  why: 
a  track  record  of  100%  successful  recoveries;  over  60  facilities  with  redundant 
power  connected  to  SunGard’s  secure  global  network;  and  more  than  20,000  end- 
user  positions  in  facilities  across  North  America  and  Europe.  SunGard  Availability 
Services— the  information  availability  solution  for  businesses  that  must  run  non-stop. 
Keep  moving,  call  1-800-468-7483  or  visit  www.availability.sungard.com. 


SUNGARD 

Availability  Services 

Keeping;  People 
and  Information 
Connected.® 
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■  THE  GRILL 

W.  Wade  Vann 

The  Simmons  Bedding  CIO  talks 
about  ‘plain  vanilla’  systems, 
standardization  and  just-in-time  IT. 


Name:  W.  Wade  Vann 

Title:  Senior  vice  president 
and  CIO 

Organization:  Simmons 
Bedding  Co. 

Location:  Atlanta 

Favorite  food:  Blackened 
chicken 

Wheels:  A  black  2004  Toyota 
Sequoia  SUV 

Hobbies:  Golf,  scuba  diving, 
skydiving,  backpacking,  hang 
gliding,  rock  climbing  and  race 
car  driving 

Favorite  vacation  destination: 
Kiawah  Island,  S.C. 

People  would  be  surprised  to 
learn . . .  “That  I  married  my 
high  school  sweetheart  and 
that  we  just  celebrated  our 
35th  wedding  anniversary.” 

Last  book  read:  If ’s  Not  What 
You  Say . . .  It’s  What  You  Do, 
by  Laurence  Haughton 


How  is  your  IT  unit  organized?  We  have 
a  centralized  IT  group,  here  in  Atlanta, 
that  supports  all  of  our  19  manufactur¬ 
ing  operations  in  the  U.S.  We  have 
four  plants  in  Canada,  but  they’re  on  a 
separate  system.  We  just  bought  them 
last  year,  and  our  plans  are  to  integrate 
them  into  our  system  within  the  next 
12  to  18  months. 

Do  all  those  factories  add  to  the  com¬ 
plexity  of  your  IT  infrastructure?  We’re 
fortunate  that  our  product  line  is  very 
simple  and  that,  for  the  most  part, 
we’re  doing  the  same  operations  at 
each  of  our  manufacturing  plants.  We 
don’t  have  a  diverse  number  of  product 
lines,  or  even  customers.  We  have  less 
than  3,500  customers  across  the  Unit¬ 
ed  States.  A  low  number  of  customers 
and  a  low  number  of  SKUs  really  helps 
us  to  keep  things  as  simple  as  possible. 

Is  there  a  lot  to  keep  track  of  for  a  bedding 
company?  We  have  all  the  financials 
—  accounts  payable,  general  ledger, 
accounts  receivable,  fixed  assets. 

Continued  on  page  24 
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Advertisement 


Speed  up  Your  Systems  in  Real  Time 

The  8  Essential  Benefits  of  Automatic  Defragmentation 


Fragmentation  is  unavoid¬ 
able.  It  wreaks  havoc  on 
hard  disks,  causing  crashes, 
hangs  and  complete  system 
failures. 

Diskeeper  2008  eliminates 
fragmentation — automatically. 
It’s  the  real-time  solution  to 
your  performance  and  reli¬ 
ability  problems.  Diskeeper 
is  absolutely  indispensable.  It 
speeds  up  boot  times,  makes 
applications  launch  faster  and 
improves  the  efficiency  of 
backups  and  anti-virus  scans. 
Diskeeper’s  benefits  have 
proven  time  and  time  again 
to  be  a  vital  part  of  system 
administration. 

We  asked  254  of  our  customers 
what  were  the  essential  benefits 
of  using  Diskeeper.  This  is  what 
they  had  to  say: 


The  8  Essential  Benefits  that  Diskeeper*  Provides 

As  chosen  by  254  Diskeeper  Customers 

Transparent  Defrag  Runs  Unnoticed 


Reliability  Restored 


Pushes  System  Performance  to  its  Peak 


Thanks  to  ail  our  customers  who  participated. 


1.  PUSHES  SYSTEM 
PERFORMANCE  TO  ITS  PEAK 

“We  had  one  machine  that 
had  a  failing  drive  in  a  RAID 
5  array  and  when  we  replaced 

that  drive,  performance  improved  by  300%.  And  then  when 
I  ran  Diskeeper  for  a  week,  again  it  improved  oyer  300%.  A 
disk  intensive  process  that  was  taking  1.5  hours  is  now  taking 
15  minutes.” 

2.  RELIABILITY  RESTORED 

“We  use  Microsoft®  SQL  Server®.  We  were  receiving  hundreds 
of  messages  per  day  in  the  log  like  this  one:  SQL  Server  has 
encountered  21  occurrence^)  of  I/O  requests  taking  longer  than 
15  seconds  to  complete  on  file  [E:\mssql\data\. . .] 

“We  researched  this  error  and  found  that  it  is  usually  caused 
by  badly  fragmented  hard  drives.  While  our  drives  are  part  of 
a  large  SAN  solution,  we  were  not  totally  convinced  that  this 
should  be  causing  the  problem.  We  downloaded  a  trial  version 
of  Diskeeper  and  after  running  it,  all  of  these  errors  disap¬ 
peared!  We  have  purchased  5  copies  of  Diskeeper  and  we  are 
installing  them  on  all  of  our  production  databases  with  the 
expectation  to  never  see  this  error  again!” 

3.  TRANSPARENT  DEFRAG  RUNS  UNNOTICED 

“The  server  automatically  defragments  only  when  there  are  idle 
resources.  No  more  worrying  about  when  I  can  schedule  defrag¬ 
mentation,  no  more  worrying  about  if  the  defragmentation  will 
cause  performance  issues.  InvisiTasking™  has  worked  great  for  us 
on  everything  from  file  and  print  servers  to  SQL  servers.” 

4.  DEFENDS  CRITICAL  SYSTEM  FILES  FROM  FRAGMENTATION 

“I  have  been  using  Diskeeper  at  my  office  on  the  63  workstations 
and  4  servers  over  the  last  year.  The  addition  of  Frag  Shield™  2.0 
eliminates  the  task  of  manually  changing  the  MFT.  In  the  past 


Saves  Money  and  Time 


Eliminate  Costly  Hardware  Upgrades 

f  ‘  ;  Avgfg 

Extreme  Condition  Defragmentation 


Defends  Critical  System  Files  from  Fragmentation 


Speed  Up  Virus  Scans  and  Boot  Ups 


most  of  my  MFTs  needed  adjust¬ 
ment.  Now  that  this  function  is 
automatic,  I  don’t  have  to  manu¬ 
ally  check  it.” 

5.  SAVES  MONEY  AND  TIME 

“Prior  to  installing  Diskeeper,  we 
were  manually  defragmenting. 
Some  of  the  drives  would  take 
hours  to  defrag  and  within  a  few 
days  we  would  need  to  defrag 
again.  Installing  Diskeeper 
basically  paid  for  itself  within 
a  month  by  reducing  off-hour 
salaries.  Also  the  defragmented 
drives  perform  better  and  last 
longer.  It’s  a  no-brainer  for  pro¬ 
duction  machines.” 

6.  SPEED  UP  VIRUS  SCANS  AND 
BOOT  UPS 

“Diskeeper  saves  time  in  doing 
virus  scans,  backing  up,  index¬ 
ing  and  searching  the  files. 
There  are  also  faster  download 
times  for  users  because  of  the 
lower  load  on  the  defragment¬ 
ed  RAID.” 


7.  EXTREME  CONDITION  DEFRAGMENTATION 

“One  day  our  SQL  Server  came  to  a  halt.  I  did  everything:  ran 
spyware  software,  deleted  numerous  .TMP  files,  ran  Windows® 
update,  etc.  But  nothing  got  the  server  to  run.  Then  I  installed 
and  ran  Diskeeper;  I  found  that  the  hard  drive  was  horribly 
fragmented.  But  after  Diskeeper  finished  defragging  the  system, 
the  server  came  up.” 

8.  ELIMINATE  COSTLY  HARDWARE  UPGRADES 

“We  were  looking  at  having  to  replace  or  upgrade  some  of 
the  servers  because  they  were  so  slow.  Since  the  Diskeeper 
install,  they  are  performing  well  enough  that  we  are  no  longer 
looking  at  the  upgrades  and  replacements.” 

Diskeeper  is  essential  for  maximum  speed  and  reliability  on 
networked  systems.  Accelerate  your  systems’  performance. 
Restore  reliability.  Try  Diskeeper  2008  for  free  now! 


SPECIAL  OFFER 


fofi^davsi  Diskeeper 2008 

Go  to  www.diskeeper.com/cwtrial 

(Note:  Special  45-day  trialware  is  only  available  at  the  above  link) 

Volume  licensing  and  Government/Education  discounts  are  available  by  calling 
800-829-6468,  extension  4058. 


©  2008  Diskeeper  Corporation.  All  Rights  Reserved.  Diskeeper,  InvisiTasking,  Frag  Shield,  Maximizing  System  Performance  and  Reliability— Automatically,  and  the  Diskeeper  Corpora¬ 
tion  logo  are  either  registered  trademarks  or  trademarks  owned  by  Diskeeper  Corporation  in  the  United  States  and/or  other  countries.  All  other  trademarks  and  brand  names  are  the 
property  of  the  respective  owners.  Diskeeper  Corporation  •  7590  N.  Glenoaks  Blvd.  Burbank,  CA  91504  •  800-829-6468  •  www.diskeeper.com 
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Your  potential.  Our  passion. 

Microsoft 
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Microsoft  System  Center  is  a  family  of 
IT  management  solutions  (including  Operations 
Manager  and  Systems  Management  Server) 
designed  to  help  you  manage  your  mission- 
critical  enterprise  systems  and  applications. 


Carnival  Cruise  Lines  manages  1,000  shipboard 
and  land-based  servers  with  System  Center.  That's 
b  3.  See  G  lival  Cruise  Lines  and  other  case 
studies  at  DesignedForBig.com 
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M  Standardiza¬ 
tion  is  the  key 
to  everything 
that  we’ve  done  here. 


Continued  from  page  20 
Then,  on  the  manufacturing  side, 
we  have  order  processing  systems, 
manufacturing  scheduling  systems, 
transportation  scheduling  systems. 
Then,  down  on  the  shop  floor,  we  have 
production-tracking  and  time-and- 
attendance  systems.  It’s  all  centralized 
in  one  data  center,  which  is  outsourced 
in  Omaha,  Neb.,  to  reduce  our  costs. 
The  IT  department  is  at  the  company’s 
corporate  offices  in  Atlanta  and  is 
staffed  by  about  52  IT  people. 

What  are  IT’s  main  responsibilities  at 

Simmons?  IT’s  job  is  to  understand  the 
needs  of  the  business  and  ensure  the 
appropriate  technology  is  in  place  to 
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support  the  business  needs.  This  in¬ 
cludes  transaction  processing  systems, 
business  intelligence  systems  and  all 
infrastructure  required  to  support 
their  needs. 

Your  strategy  is  to  minimize  the  number 
of  applications  your  IT  staff  has  to  sup¬ 
port  for  your  users.  How  do  you  do  that? 

It’s  really  trying  to  have  a  very  clear 
direction  of  where  you  want  to  go.  In 
today’s  world,  software  vendors  not 
only  sell  to  the  CIOs,  but  they  also  sell 
to  every  vice  president  in  a  company. 
So  it’s  not  uncommon  for  a  VP  of  sales 
[or]  manufacturing  to  call  you  and  say, 
“Guess  what  —  I’ve  got  this  piece  of 
software  I  want  to  buy,  and  here’s  what 
it’s  going  to  do  for  us.” 

As  CIOs,  we  need  to  make  sure  that 
we  develop  the  relationships  with  our 
peers  so  that  when  the  software  ven¬ 
dors  call,  before  [the  VPs]  even  look 
under  the  hood  or  take  a  test  drive, 
they  call  the  CIO  and  say,  “We’ve  got 
this  problem,  and  this  software  vendor 
just  called  and  I  think  it  may  be  a  good 
solution.  What  do  you  think?” 

So  we  can  partner  with  the  business 
and  make  sure  that,  No.  1,  this  is  a  pri¬ 
ority,  and  it  fits  within  the  long  list  of 
things  that  the  business  wants  to  do, 
and  No.  2,  it’s  a  good  fit  for  our  strate¬ 
gic  direction. 

You  have  described  the  applications  being 
used  at  Simmons  as  “plain  vanilla.”  Can 
everything  you  need  to  do  reaily  be  done 
with  essentially  off-the-shelf  software? 

Let’s  make  sure  you’re  not  misunder¬ 
standing  me.  For  J.D.  Edwards,  our 
ERP  system,  we  have  customized  the 
software.  We  went  through  a  detailed 
review  of  all  the  functional  require¬ 
ments,  and  we  have  had  to  make  some 
changes  to  the  software,  more  so  than 
we  even  wanted  to.  But  we  have  re¬ 
duced  those  needed  changes  by  at  least 
65%  [since]  1995.  And  that’s  driven  by 
two  things:  1)  The  functionality  of  the 
new  software  has  improved,  and  2)  the 
business  has  gotten  smarter  and  we’ve 
realized  that  we  need  to  minimize  the 
customization.  It  just  adds  to  the  ongo¬ 
ing  costs. 

One  of  the  reasons  you  buy  software 
is  that  the  software  companies  can 
get  enhancements  for  all  the  differ¬ 
ent  industries  and  they’ll  make  those 


available  to  you.  So  you  want  to  be  able 
to  bring  in  those  enhancements  as  fre¬ 
quently  as  the  business  will  allow.  And 
if  you’ve  customized  it,  you’re  not  go¬ 
ing  to  do  it  very  often,  because  you’ve 
got  to  reapply  all  those  changes. 

So  you  use  a  narrow  range  of  applications 
at  Simmons  to  conduct  your  business? 

Yes.  We  have  J.D.  Edwards  for  ERP;  we 
have  PeopleSoft  HR  and  Payroll.  We 
use  Hyperion  for  business  intelligence. 
For  document  imaging,  we  use  Stel- 
lent,  and  there  are  10  or  15  other  appli¬ 
cations  —  one-offs  for  different  depart¬ 
ments  that  fit  in  with  our  strategy  but 
that  don’t  affect  the  whole  company. 

We’re  a  Windows  shop,  with  the 
same  version  [on]  every  one  of  about 
1,100  PCs.  All  the  servers  are  config¬ 
ured  the  same.  We  use  the  same  Cisco 
networking  equipment  at  all  plants, 
as  well  as  Avaya  telecommunications 
equipment  at  all  of  our  locations. 

Standardization  is  the  key  to  ev¬ 
erything  that  we’ve  done  here.  The 
IT  department  supports  about  3,500 
workers.  A  lot  of  the  factory  people 
don’t  have  PCs,  but  they  still  use  re¬ 
ports  and  clock  into  the  system.  All 
their  production  is  tracked  using  a 
standard  system. 

We  have  a  time  and  attendance 
system  that  each  employee  actually 
punches  into  at  their  workstation,  and 
then,  as  they’re  producing,  we  track 
which  piece  they’re  producing  so  we 
can  keep  track  of  each  individual’s  pro¬ 
ductivity  in  a  real-time  environment. 

How  does  the  just-in-time  nature  of  your 
business  affect  IT?  Everything  is  just  in 
time.  The  raw  materials  come  in  just 
in  time,  our  trailers  are  shipped  just  in 
time,  the  manufacturing  process  has 
to  happen  exactly  as  scheduled  to  meet 
the  delivery  window.  So  the  system  has 
to  run  very  smoothly  all  the  time. 

If  you  go  into  a  retail  store  and  you 
buy  a  bed  on  Monday,  we  receive  the 
order  Tuesday  morning,  and  we’re  or¬ 
dering  the  raw  materials  for  that  bed 
that  day.  The  bed  will  be  made  that 
day  or  the  next  day  and  will  be  shipped 
to  the  retailer  on  Thursday  and  prob¬ 
ably  be  delivered  to  your  home  on 
Friday.  We  had  not  purchased  any  of 
those  raw  materials  until  today. 

—  Interview  by  Todd  R.  Weiss 


■  OPINION 

Michael  H.  Hugos 

How  Agile  Analysts 
Get  Things  Done 

.  •  -  i 

HERE’S  A  SITUATION  to  ponder.  Let’s  say  one  of 
your  company’s  divisions  has  hit  on  a  great  new 
business  model  that’s  impressing  even  the  ac¬ 
countants.  Headquarters  decides  this  business 
needs  to  be  scaled  up  and  rolled  out  nationally  —  fast. 


What’s  of  interest  to  you 
is  that  headquarters  thinks 
the  systems  developed  by 
the  division’s  IT  group  are 
vital  to  making  this  new 
business  successful.  You 
need  to  find  out  how  this 
business  operates,  what 
those  systems  do  and  how 
the  whole  thing  can  scale 
up  for  national  rollout. 

But  when  a  new  business 
is  taking  off,  the  people 
involved  don’t  have  a  lot  of 
time  to  sit  around  talking 
about  it.  In  fact,  they  say 
they  can  give  you  only  a 
few  days  in  person,  after 
which  they  will  review  the 
documentation  you  send 
them  and  do  some  phone 
calls. 

This  is  a  job  for  an  agile 
analyst.  Here’s  what  I’d  do. 

Time  is  tight,  so  I’d 
focus  only  on  the  most 
important  stuff.  And  the 
first  day  would  be  devoted 
to  finding  out  what  that  is. 

I  would  interview  business 
unit  managers  about  strat¬ 
egy  and  about  who  their 
customers  are,  what  cus¬ 
tomers  like,  how  the  busi¬ 
ness  finds  new  customers, 


how  it  prices  products 
and  services,  and  what  the 
profit  margins  are.  These 
would  be  short,  one-on- 
one  meetings,  because 
managers  are  less  likely 
to  speak  their  minds  in  a 
group.  Questions  would 
have  to  be  pointed  and 
probing. 

The  next  couple  of  days 
would  be  spent  meeting 
with  groups  of  people  in 
different  operations  areas: 
customer  service,  purchas¬ 
ing,  production  schedul¬ 
ing  and  finance.  My  goal 
would  be  to  get  detailed 
workflow  and  task  descrip¬ 
tions,  so  these  meetings 
would  be  longer  and  in¬ 
volve  groups,  since  I  would 
want  to  make  sure  every¬ 
one  was  in  agreement. 

In  each  of  these  meet¬ 
ings,  I  would  stand  in  front 
of  the  group  and  draw  the 
process  flows  on  flip-chart 
paper  as  people  told  me 

■  After  little  more 
than  a  week,  I’d  be 
ready  to  present 
my  findings. 


about  them.  It’s  a  good  way 
to  keep  people  focused  and 
to  control  the  pace  of  con¬ 
versation.  Better  yet,  you 
finish  meetings  with  all 
the  operations  captured  in 
process  diagrams  and  with 
notes  that  have  been  vet¬ 
ted  by  the  people  involved. 

After  that,  I’d  spend  time 
with  salespeople.  They’re 
always  closest  to  the  ac¬ 
tion.  I’d  ask  them  what 
benefits  this  new  business 
model  would  provide  cus¬ 
tomers.  I’d  also  accompany 
the  salespeople  as  they 
called  on  customers  and 
prospects,  giving  me  a 
chance  to  see  whether  the 
customers  perceived  the 
same  benefits. 

After  little  more  than 
a  week  on  the  ground,  I’d 
be  ready  to  present  my 
findings,  which  I’d  deliver 
to  the  division’s  business 
people  in  three  short 
documents:  process  flow 
diagrams  that  cover  all  op¬ 
erating  areas,  a  logical  data 
model  of  the  data  handled 
in  these  process  flows,  and 
a  storyboard  of  screens  to 
illustrate  how  people  use 


systems  to  manage  the 
data  and  perform  the  tasks 
in  the  process  flows.  I’d 
schedule  phone  calls  for 
reviews  and  corrections. 
Since  such  documents  are 
graphic  and  easy  to  un¬ 
derstand,  even  the  busiest 
people  would  be  willing 
to  take  the  time  to  look  at 
them. 

I’d  ask  for  two  other 
documents  from  the 
division’s  IT  people: 
technical  architecture 
diagrams  of  their  systems, 
and  schemas  of  the  system 
databases.  If  those  docu¬ 
ments  were  complete  and 
up  to  date,  the  systems 
might  scale  up  to  handle 
a  national  rollout.  If  they 
weren’t,  it  would  suggest 
that  there  were  problems, 
and  I  would  not  recom¬ 
mend  using  their  systems 
for  national  rollout. 

But  at  this  point,  I  would 
have  already  done  the 
footwork  necessary  to  get 
going  on  the  systems  we 
would  need.  It  would  all 
be  in  the  three  documents 
delivered  to  the  business 
people. 

That’s  how  agile  ana¬ 
lysts  get  things  done  and 
deliver  value  in  a  fast- 
paced  world.  ■ 

Michael  H.  Hugos  is  a  princi¬ 
pal  at  the  Center  for  Systems 
Innovation  and  a  speaker. 

A  member  of  the  2006 
Computerworld  Premier 
100  IT  Leader  class,  his 
newest  book,  coming  this 
fall,  is  Sustainable  Prosper¬ 
ity:  Business  Agility  and 
Moving  Beyond  the  Boom- 
to-Bust  Cycle  (John  Wiley). 
He  can  be  reached  at 
www.MichaelHugos.com. 
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An  electronic  record  of  I 
related  information  on  an  individual 
that  can  be  created,  gathered, 
managed  and  consulted  by  autho¬ 
rized  clinicians  and  staffers  within 
one  health  care  organization. 


Electronic  health  record  (EHR): 


related  information  on  an  individual 
that  conforms  to  nationally  recog¬ 
nized  interoperability  standards  and 
that  can  be  created,  managed  and 
consulted  by  authorized  clinicians 
and  staff  across  more  than  one 
health  care  organization. 


Personal  health  record  (PHR): 


An  electronic  record  of  health- 

information  on  an  individual 
that  conforms  to  nationally  recog¬ 
nized  interoperability  standards  and 
that  can  be  drawn  from  multiple 
sources  while  being  managed,  shared 
and  controlled  by  the  individual 

SOURCE:  NATIONAL  ALLIANCE  FOR  HEALTH 
INFORMATION  TECHNOLOGY  lWWW.NAHiT.ORG) 


T’S  BEEN  ABOUT  THREE  YEARS 
since  San  Diego’s  five  major  hospitals 
first  convened  to  discuss  sharing  elec¬ 
tronic  medical  record  data  in  an  effort 
to  improve  diagnoses,  reduce  errors  and 
improve  the  quality  of  patient  care.  The 
group  held  several  meetings  and  entered 
discussions  with  a  vendor  as  a  possible 
corporate  sponsor  —  and  that  was  that. 


“It  really  didn’t  go  anywhere,” 
says  Dr.  Joshua  Lee,  medical  di¬ 
rector  of  information  services  at 
the  University  of  California,  San 
Diego,  Medical  Center,  one  of  the 
participants  in  the  EMR  discus¬ 
sion.  While  the  system  would 
have  had  a  clear  public  health 
benefit,  it  was  not  in  each  hos¬ 
pital’s  economic  self-interest  to 
pursue  it.  “The  financial  and  over¬ 
sight  responsibility  would  fall  on 
the  medical  centers,  even  though 
it’s  a  very  intangible  benefit  to  the 
medical  centers,”  says  Lee. 

Today,  if  a  child  who  is  a  UCSD 


patient  at  the  pediatric  clinic 
at  7910  Frost  St.  in  San  Diego  is 
admitted  to  the  emergency  room 
at  Sharp  Memorial  Hospital  at 
7901  Frost  St.,  the  only  way  the 
ER  doctor  can  view  that  child’s 
known  medical  problems,  al¬ 
lergies,  prescriptions  and  other 
health  data  is  by  calling  UCSD 
Healthcare,  making  a  records 
request,  and  waiting  for  the  infor¬ 
mation  to  be  printed  and  either 
faxed  or  physically  delivered  on 
paper.  Conversely,  any  treatments 
or  medications  given  at  Sharp 

Continued  on  page  30 
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THERE  ARE  LOTS  OF  CHALLENGES, 

BUT  FINANCIAL  DISINCENTIVES  MAY  BE 
THE  BIGGEST.  BY  ROBERT  L.  MITCHELL 
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.INFRASTRUCTURE  LOG 

_DAY  54:  This  gap  between  LOB  and  IT  is  getting  out  of  hand. 
Our  business  processes  are  rigid  and  inflexible.  We  can’t 
react  to  changes  in  the  business  environment.  We’ve  got  to 
find  a  way  to  bridge  the  chasm. 

_Gil’s  gonna  jump  it.  I  think  he  needs  a  bigger  engine. 

_DAY  55:  I’m  closing  the  gap  with  a  Smart  SOA™  approach  from 
IBM.  They  offer  a  full  range  of  software,  hardware  and 
services  to  accelerate  the  alignment  of  our  business  and  IT. 
Their  track  record  is  impressive.  They’ve  proven  themselves  at 
all  stages  of  SOA  adoption,  with  over  6,550  engagements.  Now 
we’ll  have  the  agility  to  respond  faster  to  change. 

_Gil  didn’t  clear  the  chasm.  He  says  from  now  on,  he’s  not 
jumping  metaphors. 


Watch  the  Smart  SOA  demo  at: 

IBM.COM/TAKEBACKCONTROL/SOA 


Continued  from  page  27 
won’t  be  entered  into  the  patient’s  EMR 
in  the  UCSD  system.  “It’s  not  like  we 
don’t  share  on  paper,  but  we  don’t  insti¬ 
tutionally  share  data,”  says  Lee. 

The  situation  in  San  Diego  is  the  norm 
rather  than  the  exception,  but  it  doesn’t 
have  to  be  that  way.  “We  have  had  the 
technology  to  do  this  for  30  years,”  says 
Shaun  Grannis,  medical  informatics 
researcher  at  the  Regenstrief  Institute, 
an  Indianapolis-based  research  organi¬ 
zation  that  spearheaded  a  metropolitan 
health  information  exchange  in  its  home 
city.  One  of  the  first  U.S.  regional  ex¬ 
changes,  the  Indianapolis  system  is  used 
by  34  health  care  providers. 

Rather  than  requiring  member  pro¬ 
viders  to  change  their  internal  systems, 
the  institute  wrote  middleware  that 
integrates  data  from  all  of  those  pro¬ 
prietary  systems  and  organizes  it  into 
a  single  data  model.  “We  wrote  the  in¬ 
terface  engines  that  do  all  of  this  stuff,” 
says  Grannis.  If  members  simply  want 
to  view  integrated  patient  data,  they  log 
into  the  community  electronic  health 
record  (EHR)  Web  site.  Alternately,  the 
institute  can  push  data  out  to  providers 
that  have  their  own  EMR  systems. 

Ultimately,  technology  isn’t  the 
problem.  Granted,  the  health  care 
industry  has  been  held  back  by  loose 
and  overlapping  technical  standards 
and  by  poor  interoperability  among 
the  different  types  of  health  infor¬ 
mation  systems  sold  by  hundreds  of 
vendors.  But  the  biggest  obstacle  may 
be  a  payment  model  that  offers  little 
financial  incentive  for  most  health  care 


MWe  have  had  the 
technology  to  do 
this  for  30  years. 

SHAUN  GRANNIS,  MEDICAL  INFORMATICS 
RESEARCHER.  THE  REGENSTRIEF  INSTITUTE 

providers  to  invest  in  using  electronic 
records  internally,  let  alone  share  them 
with  other  providers. 

Electronic  records  systems  do  yield 
some  savings,  particularly  in  the  area 
of  filing,  but  the  savings  often  aren’t 
enough  to  justify  the  cost  —  especially 
for  single-physician  and  small  group 
practices,  which  make  up  more  than  half 
of  the  health  care  services  in  the  U.S. 

Even  in  Indianapolis,  there  is  no  vi¬ 
able  long-term  business  model  for  the 
health  information  exchange,  and  not 
all  members  have  their  own  EMR  sys¬ 
tems.  “We  are  largely  grant-funded,” 
Grannis  says.  Once  those  grants  come 
to  an  end,  other  revenue  sources  must 
be  found  to  sustain  the  programs. 

THE  BUSINESS  PROBLEM 

Just  getting  health  care  providers 
to  migrate  from  paper  to  electronic 
records  systems  is  a  challenge. 

“The  provider  bears  the  cost,  but 
most  of  the  benefits  accrue  to  other 
parties,”  mainly  “payers”  —  insurance 
companies  —  and  patients  who  reap 
the  benefits  of  higher-quality  care,  says 
John  Halamka,  CIO  at  Harvard  Medi¬ 
cal  School  and  Beth  Israel  Deaconess 
Medical  Center  in  Boston  and  a  Com- 
puterworld  columnist. 

Among  the  benefits  for  patients  is 


prevention  of  adverse  reactions  to 
drugs.  But  while  providers  recognize 
the  benefits,  they  aren’t  rewarded  for 
improved  patient  care  and  safety,  says 
John  Quinn,  chief  technology  officer  at 
Health  Level  Seven  Inc.  (HL7),  a  health 
data  standards  development  organiza¬ 
tion  in  Ann  Arbor,  Mich. 

A  recent  study  on  the  value  of  com¬ 
puterized  order-entry  systems  for 
clinical  use  found  that  only  11%  of  the 
return  on  that  investment  goes  to  the 
provider.  Most  of  the  rest  benefits  the 
payer,  says  study  co-author  Blackford 
Middleton,  who  is  corporate  director 
of  clinical  informatics  research  and  de¬ 
velopment,  and  chairman  of  the  Center 
for  IT  Leadership  at  Partners  Health- 
Care  System  Inc.  in  Boston. 

“We’re  not  reimbursed  for  using 
better  systems  to  take  better  care  of 
patients,  says  Mark  Leavitt,  chairman 
of  the  Certification  Commission  for 
Healthcare  Information  Technology. 
Ironically,  the  financial  systems  are 
a  different  matter.  “Everyone  makes 
darn  sure  those  work,  because  if  you 
don’t  send  [insurance  reimbursement 
information]  in  the  right  format,  you 
don’t  get  paid,”  he  says. 

Historically,  the  adoption  of  com¬ 
puters  in  health  care  has  been  driven 
by  the  need  to  bill  for  services.  That 
hasn’t  changed,  Leavitt  says. 

The  same  problem  arises  with  re¬ 
gional  health  information  exchanges, 
such  as  the  one  briefly  considered  in 
San  Diego.  “If  I  send  electronic  infor¬ 
mation  to  Sharp  [Memorial  Hospital],  I 
don’t  really  benefit.  It  costs  money  to  do 
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this,  and  it  doesn’t  really  help  our  mar¬ 
gin,”  says  Lee.  “It’s  good  for  patients, 
but  it’s  almost  an  unfunded  mandate.” 

On  the  other  hand,  says  Leavitt,  “if 
you’re  not  able  to  cover  the  last  mile  and 
get  that  record  to  the  other  institution,  it 
won’t  affect  your  reimbursement  at  all.” 

Shared  EHRs  can  help  providers 
avoid  duplicating  tests.  But  providers 
are  compensated  for  procedures  given, 
not  those  avoided.  “The  cost  to  the 
payer  is  diminished,  but  so  is  the  re¬ 
imbursement  to  the  radiology  depart¬ 
ment  and  the  radiologist,”  says  HL7 
CEO  Charles  Jaffe. 

“The  problem  we  have  in  this  coun¬ 
try  is  a  lack  of  business  reasons  for 
integrating,”  Jaffe  explains.  “What  is 
the  business  case  for  two  competing 
hospitals  to  share  data?  None.” 

On  a  national  level,  the  inability  to 
exchange  health  information  has  public 
health  consequences.  About  47  million 
Americans  move  every  year,  but  for  the 
vast  majority,  medical  records  —  even 
electronic  ones  —  don’t  follow  the  pa¬ 
tients.  That  can  affect  continuity  of  care. 

“Nirvana  is  when  in  every  transi¬ 
tion  of  care,  a  clinical  summary  will 
be  pushed  to  the  next  caregiver,”  says 
Halamka.  Today,  that  information  is 
still  printed  and  forwarded  on  paper. 

If  the  patient  is  lucky,  his  new  provider 
may  scan  the  paper  records  into  its  own 
system,  where  they  will  be  available  as 
viewable  but  nonsearchable  image  files. 

Robert  Smith  is  associate  chief  of 
staff  for  health  care  analysis  at  the 
Veterans  Administration  San  Diego 
Health  Care  System,  which  also  partic¬ 
ipated  in  the  regional  exchange  discus¬ 
sions.  He  thinks  that  the  advantages 
in  quality  of  health  care  and  patient 
safety  are  “worth  every  cent.” 

The  VA  has  developed  its  own  EMR 
system  and  can  share  patient  data  with 
any  VA  hospital  in  the  country,  as  well  as 

Doctors  are  not 
going  to  do  this  on 
their  own.  Hospitals  have 
to  pay  for  them  to  acquire 
it,  and  payers  have  to 
provide  incentives  for 
them  to  use  it. 

JOHN  HALAMKA,  CIO. 

HARVARD  MEDICAL  SCHOOL  AND 

BETH  ISRAEL  DEACONESS  MEDICAL  CENTER 


with  some  U.S.  Department  of  Defense 
medical  facilities.  But  VA  San  Diego 
can’t  exchange  data  with  non-VA  health 
care  providers  that  its  patients  use. 

The  Duke  University  Health  System 
has  integrated  the  data  from  its  dispa¬ 
rate  systems  to  create  a  unified  EMR 
system.  CIO  Asif  Ahmad  says  the  ben¬ 
efits  have  been  worth  the  considerable 
effort  involved.  The  hospital  is  using 
business  intelligence  tools  to  comb 
through  clinical  data  in  an  effort  to  im¬ 
prove  the  quality  of  patient  care  and  is 
using  predictive  analytics  to  help  avoid 
potentially  adverse  reactions  to  drugs 
and  improve  patient  safety.  But  it  is  not 
yet  sharing  health  care  record  data  out¬ 
side  of  its  own  provider  network. 

SHOW  ME  THE  MONEY 

The  lack  of  consistent  standards  and 
the  plethora  of  proprietary  vendor  of¬ 
ferings  contribute  to  the  problem,  but 
those  issues  are  slowly  being  resolved. 
Improving  interoperability  will  make 
building  an  EMR  infrastructure  and 
EHR  exchanges  easier  and  cheaper,  but 
it  won’t  solve  the  incentive  problem. 

First,  there  are  the  upfront  costs  for 
getting  all  practices  on  EMR  systems. 
Leavitt  says  the  typical  cost  of  such  a 
system  ranges  from  $15,000  to  $50,000 
per  doctor.  “Smaller  practices  can’t 
amortize  it,”  he  says. 

“Doctors  are  not  going  to  do  this  on 
their  own,”  says  Halamka.  “Hospitals 
have  to  pay  for  them  to  acquire  it,  and 
payers  have  to  provide  incentives  for 
them  to  use  it.” 

He  says  thanks  to  a  2004  reinter¬ 
pretation  of  the  Stark  Law  —  federal 
legislation  that  prohibits  doctors  from 
receiving  subsidies  from  institutions  to 
which  they  refer  patients  —  hospitals 
can  subsidize  up  to  85%  of  nonhardware 
implementation  costs  for  private  prac¬ 
tices.  By  using  a  software-as-a-service 
model  for  delivering  EHR  systems,  those 
practices  can  reduce  upfront  hard¬ 
ware  costs.  “Software  as  a  service  is 
cheaper  because  of  economies  of  scale 
achieved  through  central  hosting  and 
procurement,”  Halamka  says. 

But  although  Beth  Israel  Deaconess 
has  made  it  a  policy  to  offer  EHRs  to 
nonemployee  doctors,  many  hospitals, 
faced  with  tight  budgets,  are  unlikely 
to  fund  such  programs  without  an  eco- 
Continued  on  page  34 


Cost  isn’t  the  only  reason  why 
doctors  may  object  to  using  elec¬ 
tronic  medical  records  systems. 

Most  commercial  products  in 
use  today  weren’t  built  by  ciini- 
'  some  have  faced 
tor  pushback.  “Top-down  ef- 
to  create  electronic  health 
ids  often  run  into  resis¬ 
tance”  -  and  even  open  rebellion 
among  doctors,  says  Robert 
Smith,  associate  chief  of  staff  for 
health  care  analysis  at  the  Vet¬ 
erans  Administration  San  Diego 


,  - 


Shaun  Grannis,  medical  in¬ 
formatics  researcher  at  the 
Regenstrief  Institute,  says  the 
r  interfaces  in  commercial 
r.  ,.jcts  often  lack  flexibility  and 
don’t  always  present  information 
the  way  doctors  need  to  see  it. 

“In  my  electronic  medical 
records  system,  it  takes  seven 
mouse  clicks  to  place  a  prescrip¬ 
tion  for  my  patients.  That’s  too 
many,”  he  says. 

Grannis  also  would  like  to 


patient’s  medications  and  di¬ 
agnoses  from  the  same  screen. 


enough  to  allow  that.  He'd  like  to 
see  a  fully  customizable,  widget- 
style  user  interface  like  iGoogle’s 
so  a  doctor  could  arrange  differ¬ 
ent  health  information  widgets 
and  resize  and  reorder  them 
on  the  same  screen.  “I’d  like  to 
decide  how  I’m  going  to  interface 
with  the  system,  not  the  other 
way  around,”  he  says. 

Smith  agrees  that  it  may  be  less 
efficient  to  “mouse  around”  on 
electronic  forms  than  it  is  to  use 
paper.  But  if  physicians  can  get 
over  that,  efficiencies  in  decision 
support  and  structured  reviews 
of  information  such  as  lab  and 
radiology  results  make  electronic 
record  systems  worthwhile.  The 
key,  he  says,  is  to  tailor  the  sys¬ 
tems  to  the  physicians’  needs. 

-  ROBERT  L.  MITCHELL 
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_DAY  41:  Our  processing  needs  and  energy  bills  keep  growing! 

We  spend  the  bulk  of  our  budget  just  powering  and  cooling  our 
machines.  Gil  says  he  knows  where  we  can  generate  more  power. 

_He  moved  the  data  center  to  the  top  of  a  dam.  Note  to  self: 
don’t  drop  pen. 

_DAY  44:  I’m  taking  back  control  of  our  energy  issues  with 
IBM.  Their  services  helped  us  design  a  data  center  that 
sips  energy.  Now  we’re  running  on  fewer,  more  energy- 
efficient  IBM  Systems  to  drive  utilization  up  and  costs 
down.  And  IBM  Systems  Director  Active  Energy  Manager™  and 
IBM  Tivoli  software  can  help  us  monitor  usage  and  manage 
costs.  It’s  all  part  of  their  approach  to  the  new 
enterprise  data  center. 

.Good  thing  —  I’m  not  that  into  dams.  I’m  more  of  a  fjord  guy. 


Find  out  how  energy  efficient  your  company  is  at: 

IBM.COM/TAKEBACKCONTROL/EFFICIENT 
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nomic  incentive  to  do  so. 

There  are  secondary  costs  as  well. 
Staffers  must  learn  a  new  EMR  system 
and  often  must  change  their  business 
practices  to  accommodate  the  way  it 
works.  In  some  cases,  the  implementa¬ 
tion  of  a  system  can  take  four  to  six 
months  and  cut  back  the  number  of 
patient  visits  by  as  much  as  50%,  says 
Grannis.  “That’s  a  big  barrier  to  face. 
And  they’re  not  computer  scientists, 
so  it’s  a  strange  new  world,”  he  says. 
While  practices  do  see  some  savings 
by  reducing  costs  in  areas  such  as  fil¬ 
ing,  “none  of  these  value  propositions 
are  home  runs,”  says  Grannis. 

HL7’s  Jaffe  says  that  if  the  market 
isn’t  providing  incentives  to  doctors  to 
make  the  transition,  the  government 
should  do  so  in  order  to  improve  public 
heath.  “In  the  U.S.,  [the  government] 
has  budgeted  $75  million  for  health 
care  IT.  In  England,  it’s  £1  billion.  It’s 
disheartening,”  he  says. 

The  U.S.  Department  of  Health  and 
Human  Services  does  have  one  small 
program  under  way.  In  what  project 
officer  Jodi  Blatt  calls  a  “pay  for  per¬ 
formance  demonstration,”  the  Centers 
for  Medicare  &  Medicaid  Services 
are  in  the  process  of  recruiting  2,400 
practices  in  12  locations  this  year  to 
participate  in  a  study.  Physicians  can 
earn  up  to  $58,000  —  group  practices 


up  to  $290,000  —  in  incentives  over 
the  course  of  the  five-year  program  by 
demonstrating  improvements  in  patient 
care  as  a  result  of  having  implemented 
EMR  systems.  “We  believe  the  incen¬ 
tives  are  substantial  enough  to  reduce 
the  barriers  to  practices,”  she  says. 

However,  there  are  921,904  physi¬ 
cians,  723,118  practices  and  5,756 
hospitals  in  the  U.S.,  according  to  the 
American  Medical  Association  and  the 
American  Hospital  Association.  Given 
those  numbers,  it’s  not  clear  that  the  in¬ 
centive  program  will  enable  the  indus¬ 
try  to  meet  President  Bush’s  stated  goal 
that  it  provide  most  Americans  with 
interoperable  EHRs  by  2014. 

BROKERED  SOLUTION 

If  all  hospitals  and  physicians  used 
EMR  systems  and  met  the  standards 
for  interoperability,  more  regional 
exchanges  —  and  even  national  in¬ 
formation  exchanges  —  could  start  to 
develop.  “A  hospital  in  Miami  could 
contact  a  hospital  in  San  Diego  and  do 
some  sort  of  exchange.  That’s  in  the 
ideal  world,”  says  Blatt. 

But  who  will  pay  for  that  remains 
unresolved.  Grannis  says  Regenstrief 
is  working  to  find  a  sustainable  eco¬ 
nomic  model  for  health  information 
exchanges  by  providing  value-added 
services  beyond  basic  health-record 
sharing.  For  example,  the  institute  has 


received  separate,  ongoing  funding 
for  a  service  that  uses  data  in  the  EHR 
exchange  to  quickly  identify  disease 
outbreaks  (see  story,  page  16).  But 
today,  Grannis  acknowledges,  the  ex¬ 
change  still  depends  on  “a  patchwork 
of  funding.” 

He  says  he  thinks  that  efforts  by 
Microsoft  Corp.,  Google  Inc.  and  oth¬ 
ers  to  build  personal  health  record 
repositories  —  Web-based  services 
where  individuals  can  aggregate  health 
records  from  multiple  providers  and 
add  their  own  data  —  will  put  pressure 
on  the  industry  to  embrace  EMRs.  But 
it  will  be  too  complicated  and  costly 
for  providers  to  establish  bidirectional 
transfers  with  every  other  provider.  Ex¬ 
changes  such  as  the  one  in  Indianapolis 
will  be  required,  and  to  assuage  com¬ 
petitive  concerns,  neutral  third  parties 
will  need  to  step  in  to  manage  those 
exchanges,  Grannis  says. 

That’s  the  tack  taken  with  the  non¬ 
profit  Massachusetts  Health  Data 
Consortium’s  MA-SHARE  program.  It 
enables  the  exchange  of  clinical  docu¬ 
ment  summaries  and  e-prescribing 
data  among  17  hospitals,  using  Web 
services  protocols.  But  even  in  Mas¬ 
sachusetts,  with  its  many  advanced 
teaching  hospitals,  50%  of  doctors  still 
don’t  use  EMRs,  and  Halamka’s  nir¬ 
vana  of  consolidated  EHRs  that  follow 
the  patient  remains  a  distant  vision.  ■ 
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Quality  Over  Quantity 


This  drug  firm’s  approach  to  application 
support  uses  more  service-levei  metrics 
ana  fewer  vendors.  By  Mary  K.  Pratt 


1A 


PRi-Min 


2008  BEST 
IN  CUSS 


jLVJ  _ 

IT  LEADERS  2008  This  story  is  part 

of  an  ongoing  se¬ 
ries  showcasing  the  best  projects  of 
this  year’s  Premier  100  IT  Leaders. 


Johnson  &  Johnson 

Johnson  &  Johnson  Pharmaceutical 
Research  &  Development  LLC  in 
Raritan,  N.J.,  performs  R&D  work  for 
the  pharmaceutical  business  units  of 
Johnson  &  Johnson  worldwide. 


IT  CHAMPION:  RickFranckowi- 
ak,  director  of  the  technology  office 


Rick  franckowiak 
and  his  staff  were 
facing  rising  costs 
for  application- 
support  services  that,  de¬ 
spite  the  burgeoning  price 
tag,  could  have  been  better. 
So  the  team  took  action. 

Franckowiak,  director 
of  the  technology  office  at 
Johnson  &  Johnson  Phar¬ 
maceutical  Research  &  De¬ 
velopment  LLC  (J&JPRD), 
led  an  application  support 
project  that  brought  a  stra¬ 
tegic  shift  in  how  services 
are  delivered,  trimming  the 
number  of  vendors  while 
also  increasing  the  qual¬ 
ity  of  services  and  cutting 
costs. 

“Making  a  switch  from 
a  head  count  to  service- 
level  approach  was  a  major 
change,  both  culturally  and 
in  terms  of  process.  But 
now,  service  levels  are  up, 
and  costs  are  down  signifi¬ 
cantly,”  Franckowiak  says. 

Management  of  product 
support  services  is  becom- 


IT  STAFF:  120  employees  in  the 
R&D  unit;  the  technology  office 
organization  has  30  internal  employ¬ 
ees,  four  of  whom  are  dedicated  to 
applications  support  and  software 
maintenance. 

PROJECT  PAYBACK:  The  com 

pany  won’t  disclose  the  project  costs 
but  cites  a  30%  reduction  in  ap¬ 
plication  support  costs.  It  had  saved 
$1.75  million  as  of  2006,  with  an  addi¬ 
tional  5%  reduction  in  costs  expected 
in  2007, 2008  and  2009.  ROI  also 
includes  an  increase  in  service-level 
performance  to  94%,  14  percentage 
points  higher  than  in  2004. 

ing  increasing  complex,  im¬ 
portant  and  costly,  says  Bob 
Igou,  an  analyst  at  Gartner 
Inc.  “IT  organizations  are 
highly  challenged  to  free  up 
some  money  to  do  the  new 
stuff  that  the  lines  of  busi¬ 
ness  want  and  still  keep  last 
year’s  stuff  running  and  up- 
to-date,”  he  says. 

Therefore,  companies  are 
trying  to  improve  the  man¬ 
agement  of  their  support 
services  to  rein  in  costs  and 
improve  customer  satisfac¬ 
tion.  “They’re  paying  big 


bucks  to  get  software  sup¬ 
port,  and  they’re  engaging 
with  their  vendors  and  say¬ 
ing,  ‘What  are  we  getting  for 
this  money?’  ”  Igou  says. 

When  J&JPRD  started  the 
application-support  project, 
Franckowiak’s  technology 
office  oversaw  a  portfolio 
of  more  than  90  business 
applications.  The  company 
had  five  major  vendors  pro¬ 
viding  support,  with  con¬ 
tracts  focused  on  the  num¬ 
ber  of  individual  contractors 
rather  than  overall  service 
levels,  Franckowiak  says. 

The  four-member  applica¬ 
tion  support  function  team 
started  the  project  by  exam¬ 
ining  different  approaches 
to  improve  management. 

It  opted  to  go  with  just  one 
vendor,  charged  with  man¬ 
aging  to  a  specified  service 
level,  Franckowiak  explains. 

IN-HOUSE  WORK 

Yet  vendor  selection  was 
only  part  of  the  process. 
Much  of  the  work  needed 
for  a  successful  outcome 
was  done  internally.  Over 


M  Making  a  switch 
from  a  head  count 
to  service-level  approach 
was  a  major  change. . . . 
But  now,  service  levels 
are  up,  and  costs  are 
down  significantly. 

RICK  FRANCKOWIAK,  DIRECTOR  OF  THE 
TECHNOLOGY  OFFICE.  J&JPRD 


two  years,  the  team  had  to 
build  consensus  around  the 
project  within  both  the  IT 
department  and  the  busi¬ 
ness  divisions,  says  applica¬ 
tion  support  manager  Bart 
Leplae;  communication  was 
essential  to  success. 

Leplae  says  team  mem¬ 
bers  also  categorized  ap¬ 
plications  as  “gold,”  “silver” 
or  “bronze”  based  on  their 
importance  to  the  business. 
Gold  applications  require 
the  quickest  resolution 
times. 

Franckowiak  says  his 
team  also  used  the  project  to 
gradually  introduce  offshore 
services  and  to  develop  and 
implement  more  detailed 
metrics  to  measure  success 
and  customer  satisfaction. 

Despite  its  ultimate  suc¬ 
cess,  the  project  presented 
some  lessons  to  be  learned. 

For  example,  the  IT  team 
came  to  recognize  the 
importance  of  having  the 
vendor  place  the  right  em¬ 
ployees  in  key  management 
positions,  Leplae  says. 

The  team  also  had  to 
push  the  vendor  for  con¬ 
tinual  process  improvement, 
which  the  contract  speci¬ 
fied,  says  application  sup¬ 
port  manager  Frank  Drust. 

“We  shouldn’t  be  making 
all  the  recommendations.  At 
first  we  were,  but  we  had  to 
push  the  vendor  a  little  bit 
more;  we  wanted  them  to  be 
proactive,”  he  says. 

Now,  four  years  into  the 
five-year  contract,  Drust 
says  the  process  is  running 
smoothly  enough  to  allow 
that  to  happen.  ■ 

Pratt  is  a  Computer  world 
contributing  writer  in 
Waltham,  Mass.  Contact  her 
at  marykpratt@verizon.net. 
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1A  A  AS  AN  IT  PROFESSIONAL,  you  know  the  basic 
■pW  rules  of  office  politics,  the  simple  do’s  and 
mFiBFKMna  don’ts  that  govern  life  at  work.  Adhering 
L  "  to  these  standards  —  the  ones  that  tell  you 
to  be  proactive  and  a  team  player  —  will  help  you  keep 
your  job.  If  you  really  want  to  advance,  though,  you 
need  to  know  which  types  of  information  your  boss 
relies  on  you  to  provide.  ■  More  isn’t  necessarily  bet¬ 
ter,  however,  and  discretion  is  everything.  So,  you  also 
need  to  know  the  kinds  of  information  your  boss  never 
wants  to  hear  from  you.  ■  We  asked  a  group  of  Com- 
puterworld’s  2008  Premier  100  IT  Leaders  to  talk  about 
the  kinds  of  messages  they  need  to  hear  loud  and  clear 
from  their  employees  and  the  things  they  never,  ever 
want  to  hear.  Here’s  what  they  said. 


Five  Things  You  Should 
Always  Tell  Your  Boss 

THE  REAL  STORY. 

“Sugarcoating  problems,  hold¬ 
ing  back  information,  overprom¬ 
ising  and  consistently  under¬ 
delivering  are  all  reasons  why  IT  has 
a  bad  reputation.  We  do  this  so  well, 
we  don’t  even  realize  there  is  a  prob¬ 
lem,”  says  Robert  Strickland,  senior 
vice  president  and  CIO  at  T-Mobile 
USA  Inc.  in  Bellevue,  Wash.  “To 
lead  effectively,  I  need  the  complete 
picture,  as  do  our  customers  and  our 


suppliers.  When  information  is  with¬ 
held,  you  are  protecting  no  one.” 

Neal  Puff,  CIO  for  Arizona’s  Yuma 
County,  agrees,  but  with  the  caveat 
that  this  is  not  a  license  to  vent. 
“People  sometimes  confuse  the  truth 
with  their  opinion,”  he  says. 

2  YOUR  IDEAS. 

“Bring  me  ideas  to  improve 
the  business,  even  if  they’re 
outside  of  IT,”  says  Kumud 
Kalia,  CIO  and  executive  vice 
president  of  customer  operations  for 
Toronto-based  Direct  Energy,  an  in¬ 


tegrated  energy  company  and  part  of 
Centrica  PLC. 

Sounds  simple  enough,  but  Kalia 
says  workers  are  often  reluctant  to 
do  this,  thinking  they  have  to  go 
through  established  chains  of  com¬ 
mand.  But  that’s  not  necessarily  the 
case.  Bringing  ideas  straight  to  the 
top  can  help  get  initiatives  going. 

“I  can  help  get  things  launched  and 
broker  the  appropriate  conversa¬ 
tions,”  Kalia  says. 

3  WHAT  YOU  WANT. 

Ted  Maulucci,  CIO  at  Tridel 
Corp.,  a  condominium  de¬ 
veloper  in  Toronto,  tries  to 
shift  his  workers  into  the  jobs  that 
they  would  enjoy  most.  It  helps  with 
employee  retention,  morale  and  pro¬ 
ductivity. 

He  points  to  one  employee  who 
loves  working  on  hardware  so  much, 
he’ll  come  in  at  3  a.m.  to  tackle  a  new 
project. 

That’s  why  Maulucci  wants  to 
hear  what  his  staffers  want  from 
their  jobs  and  for  their  futures. 

4  NO. 

It  takes  courage  to  tell  the 
boss  that  you  don’t  agree, 
but  it’s  better  for  all  involved 
when  you  say  no  to  suggested  proj- 
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CAREERS  ■ 


ects,  timelines,  budgets  or  technolo¬ 
gies  that  just  aren’t  going  to  work, 
says  Michael  F.  Williams,  executive 
director  of  IT  for  the  Immune  Toler¬ 
ance  Network  of  the  Diabetes  Center 
at  the  University  of  California,  San 
Francisco,  and  CIO  for  the  Depart¬ 
ment  of  Neurology’s  Epilepsy 
Phenome/Genome  Project. 

But  saying  no  to  ill-conceived 
ideas  isn’t  the  same  as  obstructing 
an  entire  project.  “After  you  say  no, 
don’t  make  it  impossible,”  Williams 
says.  “You  have  to  provide  various 
alternatives  and  let  me  know  the 
pros  and  cons.” 


5  YOUR  SUCCESSES. 

No  one  wants  to  spend  each 
day  hearing  only  about  proj¬ 
ect  setbacks,  failed  servers 
and  unexpected  downtime.  Good 
news  is  welcome,  too.  Yet  IT  work¬ 
ers  seem  reluctant  to  promote  the 
positive,  Kalia  says. 

The  thought  doesn’t  occur  to 
them,  “or  maybe  they  think  that 
what  they’re  doing  isn’t  that  special,” 
he  explains. 

Whatever  the  cause  of  such 
reticence,  Kalia  says  IT  pros  should 
change  their  mind-sets.  He  wants  to 
hear  about  accomplishments  so  he 
can  recognize  them  and  offer  point¬ 
ers  to  do  even  better  next  time. 

“But  it’s  not  only  about  learning 
what  you’ve  done  so  we  can  apply 
best  practices,”  he  adds.  “It’s  about 
celebrating  success  so  everyone  can 
share  in  that.” 

Five  Things  You  Should 
Never  Tell  Your  Boss 

1  ALL  ABOUT  THE  TECHNOLOGY 
AND  NOTHING  ABOUT  THE 
BUSINESS. 

Acting  like  the  business  is  terra 
incognita  is  a  no-no.  “Never  tell  me 
you  don’t  know  what  the  business 
wants,  but  you’ll  build  it  when  they 
decide,”  says  James  E.  Schinski,  a 
vice  president  and  CIO  at  Midwest 
Independent  Transmission  System 
Operator  in  Carmel,  Ind. 

Joseph  J.  Tufano,  vice  president 
and  CIO  at  St.  John’s  University  in 
New  York,  agrees,  saying  IT  workers 


need  to  tell  him  how  technology  can 
help  the  organization  and  its  staffers 
do  their  jobs  better. 

“You  bring  so  much  more  cred¬ 
ibility  to  the  discussion  when  you’re 
presenting  technology  in  the  context 
of  business,”  he  says. 


2  THAT  THERE’S  ONLY  ONE 
SOLUTION. 

“People  can  sometimes  de¬ 
velop  a  fondness  for  a  certain 
technology  or  programming  lan¬ 
guage  or  manufacturer  into  almost  a 
religion,  but  it’s  never  the  case  that 
one  type  of  solution  is  the  proper 
one  for  all  situations,”  says  Yuma 
County’s  Puff. 

“And  when  you  develop  an  at¬ 
titude  like  this,  you’re  viewed  as  an 
obstacle  or  a  roadblock,”  he  adds. 
“People  will  assume  you’re  just  going 
to  like  it  this  way  and  you’re  not  go¬ 
ing  to  like  it  any  other  way.” 


3  NEGATIVE  OPINIONS  ABOUT 
YOUR  COLLEAGUES. 

It’s  a  simple  rule  that  can  get 
overlooked  when  your  team 
is  struggling  with  a  missed  deadline 
or  a  failing  project,  but  think  before 


Environment' 


to  talking  with 

the  boss,  knowing  what  to  say, 
when  to  say  it  and  how  to  put  it  can 
be  tricky  for  some  people.  Here  are 
six  ways  that  the  person  in  charge 
can  encourage  the  right  conversa¬ 
tions  in  the  office: 

Lead  by  example. 

Run  a  transparent  organiza¬ 
tion. 

Accept  failures  gracefully  and 
learn  from  them. 

Remind  your  team  of  what’s 
appropriate  and  what  isn’t. 

Don’t  communicate  things  in 
anger  or  frustration. 

Tailor  your  communication 
method  -  from  face-to-face  to  IM 
-  to  the  message  and  the  situation. 

-  MARY  K.  PRATT 


you  point  a  finger,  because  bosses 
generally  don’t  want  to  hear  about  it 
—  especially  if  you  haven’t  tried  to 
work  it  out  on  your  own. 

“I  want  a  team  that  works  together 
and  not  one  that’s  political,  and  if  I 
see  it  happening,  then  I  think  people 
are  trying  to  score  points,”  says 
Kalia. 

Of  course,  there  are  times  when 
you  need  to  discuss  personnel  issues 
with  your  boss.  For  example,  Kalia 
wants  to  know  from  managers  when 
workers  are  thinking  of  leaving. 

Just  be  sure  the  boss  really  needs 
to  know  about  the  situation;  then  be 
discreet  and  objective. 

4  THAT  THERE’S  NO  WAY. 

Strickland’s  position:  Every¬ 
thing  is  possible. 

“It  may  be  impossible  to 
deliver  the  exact  goal,  or  it  may  be 
impossible  to  deliver  the  goal  in  the 
way  it  has  been  outlined,  but  before 
you  say  it  is  impossible,  tell  me  some 
of  the  challenges  you  may  face,  and 
we  can  have  a  conversation  about 
overcoming  those  challenges,”  he 
says.  “You  may  be  surprised  by  what 
you  can  accomplish  if  you  let  go  of 
your  biases.” 


5  A  SURPRISE. 

CIOs  almost  universally  say 
they  don’t  like  surprises  — 
particularly  unpleasant  ones. 
Ian  S.  Patterson,  CIO  at  Scottrade 
Inc.,  a  St.  Louis-based  online  broker¬ 
age  firm,  says  he  always  prefers  to 
hear  news  —  good  and  bad  —  di¬ 
rectly  from  his  workers.  So  when 
someone  comes  by  and  starts  with  “I 
want  to  give  you  a  heads  up,”  it  really 
catches  his  attention. 

Moreover,  it’s  a  good  bet  that  your 
boss  prefers  to  hear  that  news  sooner 
rather  than  later,  says  Gregory  B. 
Morrison,  CIO  at  Cox  Enterprises 
Inc.,  an  Atlanta-based  media  com¬ 
pany  and  provider  of  automotive 
services. 

“Getting  help  early  could  help 
keep  a  small  problem  from  turning 
into  a  disaster,”  he  says.  ■ 

Pratt  is  a  Computerworld  contribut¬ 
ing  writer  in  Waltham,  Mass.  Contact 
her  at  marykpratt@verizon.net. 
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■  SECURITY  MANAGER’S  JOURNAL  I  C.J.  KELLY 


Trouble 

Ticket 


Shoveling  Sand 
Against  tne  Tide 


The  frustrations  of  slashed  budgets  and 
inadequate  manpower  come  to  a  head. 
Is  it  time  for  a  change? 


'W' WAS  RECENTLY 

shocked  to  discover 
that  one  of  our  pri¬ 
mary  Web  sites 
-  was  not  properly 
secured. 

The  site  includes  a 
form  that  recipients  of 
our  services  fill  out  with 
personally  identifiable 
information,  including 
Social  Security  number, 
name  and  address.  This 
was  a  security  breach 
waiting  to  happen. 

I  literally  ran  down 
the  hall  to  talk  to  the  web¬ 
master. 

On  my  way,  my  mind 
was  racing  as  fast  as  my 
feet  were  carrying  me.  I 
knew  that  the  Web  site  had 
been  secure  a  few  years 
ago.  What  had  changed? 

As  it  turned  out,  when 
we  implemented  SSL  a 
couple  of  years  ago,  we 
changed  domain  names  for 
the  Web  site.  But  we  had  to 
keep  the  old  domain  name 
active  for  a  while,  forcing  a 
referral  to  the  correct  page 
each  time  someone  tried  to 
access  the  old  domain  pag¬ 
es.  A  few  important  pages 
had  been  missed  when  the 
changeover  occurred. 

It  took  only  half  an  hour 
to  correct  the  problem,  but 


the  idea  that  people  had 
been  submitting  confiden¬ 
tial  information  without 
the  proper  security  in 
place  made  me  shaky.  Still, 
I  wasn’t  about  to  chastise 
the  webmaster.  It  was  just 
a  human  error.  And  human 
error  is  inevitable,  given 
our  lack  of  resources. 

STRETCHED  TOO  THIN 

The  root  cause  of  any 
problem  we  encounter  in 
my  state  government  agen¬ 
cy  is  that  we  are  sorely  un¬ 
derstaffed.  Our  webmaster, 
for  example,  is  more  than 
just  a  webmaster.  He’s  also 
a  Unix  and  Windows  ad¬ 
ministrator,  as  well  as  an 
IT  tech  who  takes  a  turn 
on  the  help  desk.  There’s 
only  so  much  the  guy  can 
do  in  the  course  of  a  week. 
And  it’s  the  same  for  ev¬ 
eryone  here. 

Being  understaffed 

■  The  situation  is  a 
recipe  for  disaster 
without  end.  And 
when  one  disaster 
hits  after  another, 
you  can’t  help  but 
feel  that  there’s  no 
hope  in  sight. 


means  we  have  no  time  to 
check  one  another’s  work, 
or  even  our  own. 

Consider  our  intrusion 
monitoring.  We  have  in¬ 
stalled  the  technology  to 
log  events,  but  we  can’t 
afford  to  have  someone 
monitor  those  logs  full 
time  or  separate  the  false 
positives  so  that  the  system 
is  a  truly  worthwhile  tool 
for  identifying  events  that 
need  our  attention. 

We  needed  that  tech¬ 
nology,  and  when  I  made 
the  request  for  it,  I  also 
requested  funding  for  a 
new  position  so  that  we’d 
have  a  full-time  staffer  to 
monitor  the  system.  We 
got  the  technology,  but  not 
the  position.  How  do  you 
convince  the  myriad  layers 
of  bureaucracy  that  one 
without  the  other  is  just  a 
waste  of  money? 

LOSING  HOPE 

The  entire  situation  is  a 
recipe  for  disaster  with  no 
end  in  sight.  And  when  one 
disaster  hits  after  another, 
you  can’t  help  but  feel  that 
there’s  no  hope  in  sight. 

Our  slashed  budgets  are 
being  cut  again,  and  even 
future  budgets  are  being 
trimmed  as  the  economy 


AT  ISSUE:  The  frustra¬ 
tions  of  working  without 
enough  resources  are 
mounting. 

ACTION  PLAN:  Consider 
available  options,  includ¬ 
ing  jumping  ship  for  the 
private  sector. 


slows  to  a  crawl. 

When  I  have  a  moment 
to  take  a  look  at  the  situ¬ 
ation  that  I’m  in  at  work, 

I  see  how  crazy  it  is.  I 
have  an  impossible  job 
that  keeps  me  switching 
between  my  manager  hat 
and  my  techie  hat  multiple 
times  each  day.  Things 
are  so  bad  that  it’s  becom¬ 
ing  harder  and  harder  to 
drag  myself  to  work  ev¬ 
ery  day  when  I  know  all 
we  can  do  is  shovel  sand 
against  the  tide. 

At  times  like  these,  I 
wonder  whether  the  grass 
is  greener  on  the  other  side 
—  in  the  private  sector, 
that  is. 

I  have  a  friend  who  used 
to  be  my  partner  in  con¬ 
sulting.  She  has  a  very 
successful  business  and  for 
years  has  been  asking  me 
to  join  her.  It  would  be  a 
big  change  for  me. 

My  role, 
oversimplified, 
would  be  to  ac¬ 
company  her 
on  sales  calls 

as  the  subject-  _ 

matter  expert 
who  could  explain  in  plain 
English  to  C-level  execu¬ 
tives  why  they  need  secu¬ 
rity  technology. 

I’m  seriously  thinking 
about  it.  ■ 

This  week’s  journal  is  writ¬ 
ten  by  a  real  security  man¬ 
ager,  “C.J.  Kelly,”  whose 
name  and  employer  have 
been  disguised  for  obvious 
reasons.  Contact  her  at 
mscjkelly@yahoo.com. 

/ 


Ojoin  in 

To  join  in  the  discussions 
about  security,  go  to 

computerworM.com/ 

blogs/security 
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WE  WANT  TO  KNOW! 

HELP  US  BY  PARTICIPATING  IN  OUR 
22ND  ANNUAL  SALARY  SURVEY. 


How  much  are  other 
IT  professionals  with 
your  experience  and 
credentials  earning? 

With  help  from  you  and  your 
IT  colleagues  across  the 
country,  Computerworld  will 
answer  that  question  when  we 
deliver  the  results  from  our 
22nd  Annual  Salary  Survey. 


COMPUTERWORLD 

SALARY 

SURVEY 

2008 


Survey  results  and  feature  stories 
offering  practical  career  advice  will 
be  published  in  the  Nov.  10,  2008, 
issue  of  Computerworld.  We’ll  provide 
detailed  information  on  average 
salaries  and  bonuses,  broken  out  by 
title,  industry  and  region.  You’ll  be 
able  to  compare  your  organization’s 
compensation  plans  with  those  of 
other  companies  and  find  the  hottest 
areas  of  the  country  for  IT  pay. 


TAKE  THE 
SURVEY  NOW! 
YOU  COULD  WIN 
A  SONY  8-INCH 
PORTABLE  DVD 
PLAYER! 


© 


Go  to  computerworld. 
com/sal08H.html 


SURVEY  PERIOD  CLOSES 
AT  5  P.M.  EASTERN  TIME 
ON  JULY  18. 
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Automatic  and  highly  secure  data  backup.  The 
IBM  Remote  Data  Protection  Express  provides 
mid-sized  companies  complete  protection  for  their 
servers.  A  managed  service,  data  is  continuously 
monitored  and  backed  up  over  an  existing  network 
connection  to  an  IBM  data  center.  It’s  innovation 
made  easy.  From  the  people  and  Business 
Partners  of  IBM. 


Visit  ibm.com/ibmaccess 
or  call  1-877-IBM-ACCESS 
for  more  information. 


~=  express 
advantage" 


m  OPINION 

Paul  Glen 

How  to  Get  Value 
From  Outsiders 

THIS  SUMMER  marks  my  20th  year  as  an  IT 
consultant.  I’ve  been  fortunate  enough  to  work 
with  more  than  100  companies,  big  and  small, 
public  and  private,  on  three  continents. 

I’ve  had  the  opportunity  to  observe  how  organizations 
derive  value  from  outsiders,  and  how  those  relationships  can 


enhance  effectiveness  and 
be  cost-efficient.  I’ve  also 
seen  that  they  can  be  use¬ 
less  or  even  destructive. 
There  are  probably  few 
readers  of  this  column 
who  can’t  tell  a  tale  of 
thousands  or  millions  of 
dollars  wasted  by  their 
employers  on  outsiders’ 
services.  So  I  thought  that 
I’d  share  a  simple  secret 
I’ve  learned  about  getting 
the  best  value  from  your 
services  budget. 

Here  it  is:  Language 
matters. 

It  may  seem  like  a 
small  thing,  but  what  you 
call  the  outsiders  seems 
to  make  a  difference  in 
whether  you  get  the  value 
you  expect.  Whether  you 
call  them  consultants, 
contractors,  outsourcers, 
advisers,  service  provid¬ 
ers,  hired  guns,  partners, 
vultures,  hacks,  short- 
timers  or  some  other 
name,  it’s  not  just  seman¬ 
tics.  Each  label  brings  with 
it  assumptions  that  struc¬ 
ture  the  human  interac¬ 
tions  that  take  place  daily 


at  the  tactical  level. 

Each  label  can  have  posi¬ 
tive  or  negative  emotional 
connotations  for  provid¬ 
ers  and  clients,  and  those 
connotations  shouldn’t  be 
ignored.  Each  term  implies 
a  different  sort  of  role  and 
dictates  what  the  outsiders 
believe  is  expected  of  them. 

Don’t  get  me  wrong.  I 
don’t  think  that  any  one 
label  is  superior  to  another. 
It’s  a  question  of  fit  be¬ 
tween  the  label  you  use  and 
the  relationship  you  want. 

Consultants  will  be 
asked  different  questions 
than  contractors  or  hired 
guns.  And  if  asked  the 
same  questions,  they  may 
offer  different  answers. 
Even  if  you’re  talking  to 
the  same  human  being, 
the  way  the  provider  con¬ 
ceptualizes  his  role  is  as 
important  as  the  way  the 
client  does,  and  it  will  af- 

■  Getting  budget 
often  requires  par¬ 
ticipating  in  a  lin¬ 
guistic  arms  race. 


feet  his  response. 

Unfortunately,  language 
also  changes  over  time. 
The  meanings  of  these 
words  evolve,  making  it 
harder  to  communicate 
effectively  with  both  insid¬ 
ers  and  outsiders  about 
the  value  you  truly  expect. 
I’m  not  quite  sure  why 
this  happens,  but  I’d  have 
to  guess  that  it’s  often  the 
result  of  an  unstated  con¬ 
spiracy  between  profes¬ 
sional  service  salespeople 
and  their  customers.  They 
both  have  incentives  to 
bend  language  to  make 
services  seem  more  impor¬ 
tant  and  justifiable.  Get¬ 
ting  budget  often  requires 
participating  in  a  linguistic 
arms  race. 

To  get  the  best  value 
from  your  outside  service 
providers,  follow  these 
two  simple  rules. 

1.  Be  clear  about  the  value 
you  want.  This  may  sound 
obvious,  but  being  articu¬ 
late  about  how  you  want 
a  relationship  to  benefit 
you  and  your  organization 
is  not  a  simple  task.  Just 


think  about  a  current  rela¬ 
tionship  and  write  down 
the  value  you  want.  Then 
ask  yourself  four  questions 
about  the  relationship: 

■  Is  that  really  what  I 
want? 

■  Is  that  all  I  want? 

■  Will  my  wants  change 
over  time? 

■  Does  everyone  else 
want  the  same  things? 

If  you  can  get  everyone 
involved  in  a  project  to 
agree  to  a  value  statement 
in  less  than  an  hour,  I’d  be 
surprised. 

Because  it’s  difficult,  most 
clients  skip  this  step  com¬ 
pletely.  Everyone  assumes 
that  they  know  what  they 
want  and  that  everyone  else 
wants  the  same  thing.  This 
is  rarely  the  case.  And 
most  providers  are  happy 
to  skip  this  too,  since  get¬ 
ting  consensus  may  delay 
or  jeopardize  a  sale. 

2.  Use  language  that  is 
consistent  with  the  value 
you  want.  If  you  want  a 
spare  set  of  hands,  hire  a 
contractor.  If  you  want  a 
managerial  adviser,  hire  a 
management  consultant.  If 
you  want  to  have  someone 
handle  desktop  support, 
hire  an  outsourcer. 

If  you  think  about  these 
relationships  carefully,  you 
can  get  what  you  want.  But 
it  all  starts  with  what  you 
call  them.  ■ 

Paul  Glen  is  the  founder  of 
the  GeekLeaders.com  Web 
community  and  author  of 
the  award-winning  book 
Leading  Geeks:  How  to 
Manage  and  Lead  People 
Who  Deliver  Technology 
(Jossey-Bass,  2003).  Contact 
him  at  info@paulglen.com. 
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Has  your  power  hungry  data  center 
become  a  monster  to  manage? 


Have  power  hungry  racks  of  IT  equipment  created  a  monstrous 
environment  in  your  data  center?  Are  you  running  out  of  power 
capacity  before  rack  space? 

Eaton®  offers  a  full  line  of  high-density  power  solutions  to  soothe 
the  monster  in  your  data  center.  In  today's  ever  changing  IT  environments, 
the  demand  for  high-density  power  management  is  a  growing  trend. 

The  use  of  blade  servers  that  take  up  minimal  space,  and  provide  superior 
levels  of  performance  have  become  the  preferred  choice  in  these  enterprises, 
creating  unruly  power  and  cooling  issues. 

Eaton's  Powerware'  high-density  ePDUs  provide  current  and  temperature 
monitoring,  come  in  both  rack  and  vertical  mount,  are  available  in  three 
phase  or  single  phase  configurations,  with  input  capacities  up  to  23  kW. 

This  allows  an  entire  rack  of  equipment  to  be  powered  from  a  single  power 
input.  Eaton,  engineering  solutions  for  the  most  power  intense  environments, 

,  .  .  •  ,  .  ,  ,■  t 

Are  you  ready  to  take  control? 

Visit  us  at  www.powerware.com/ePDU  or  call  877.785.4994 


F:T*N  Powerware 
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dtSearch 
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♦  dozens  of  indexed, 
unindexed,  fielded  data 
and  full-text  search 
options  (including 
Unicode  support  for 
hundreds  of 

international  languages) 

♦  file  parsers  /  converters 
for  hit-highlighted 
display  of  all  popular 
file  types 

♦  Spider  supports  static 
and  dynamic  web  data; 
highlights  hits  while 
displaying  links, 
formatting  and  images/ 
intact 

♦  API  supports  .NET,  C++, 
Java,  databases,  etc. 
New  .NET  Spider  API 


The  Smart  Choice  for  Text  Retrieval®  since  1991  “ 

♦  "Bottom  line:  dtSearch  manages  a  terabyte  of  text  in  a 
single  index  and  returns  results  in  less  than  a  second" 

-  InfoWorld 

♦  "For  combing  through  large  amounts  of  data,"  dtSearch 
"leads  the  market"  -  Network  Computing 

♦  dtSearch  "covers  all  data  sources  ...  powerful  Web-based 
engines"  -  eWEEK 

|  ♦  dtSearch  "searches  at  blazing  speeds"  -  Computer  Reseller 
News  Test  Center 

See  www.dtsearch.com  for  hundreds  more  reviews, 

and  hundreds  of  developer  case  studies 


Contact  dtSearch 


ions 


uny- 


1-800  IT-FINDS  •  www.dtsearch.com 


Your  message  works  in  the  Marketplace  section! 


PHINTMEDIA  SERVICES 


To  advertise,  call  272-655-5220  or  email  temerson@ven.com 
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Server  Room 
Climate  &  PoWER 
Monitoring 


worries? 


Get  our 
free  book. 
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POWER 
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Parodies  Power  Save  delivers  intelligent  energy 
management  to  desktop  computers.  Power 
Save  goes  above  and  beyond  every  computer's 
basic  power  settings  by  implementing  energy 
management  based  on  CPU.  disk,  and 
application  activity^without  impacting  user 
productivity 


Download 

'Www.faronics.c6m/GreenlT 
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Shamank 

TRUE  TALES  OF  IT  LIFE  AS  TOLD  TO  SHARKY 


Try,  Try  Again 

Hospital  IT  help  desk  gets 
a  call  from  nurses  in  the 
clinic  who  say  they’re  having 
trouble  adding  paper  to  their 
laser  printer.  “They  told  the 
tech  that  the  eject  button  for 
the  paper  tray  was  not  work¬ 
ing  properly,”  says  a  pilot  fish 
there.  “Since  it  didn’t  eject 
the  paper  tray  when  it  was 
pushed  the  first  time,  they 
pushed  it  harder  a  number 
of  times,  and  now  there  was 
no  power  to  the  printer.”  But 
the  tech  is  puzzled.  There’s 
an  identical  printer  in  the  IT 
offices  and  it  has  no  eject 
button  -  to  add  paper,  you 
just  slide  out  the  paper  tray.  A 
quick  trip  to  the  clinic  solves 
the  mystery:  The  printer’s 
power  switch  has  been 


jammed  completely  into  the 
case.  Says  fish,  “The  nurse 
on-site  swore  that  she  always 
had  to  push  this  ‘eject  but¬ 
ton’  to  release  the  paper  tray 
to  load  paper  -  and  she  had 
trained  quite  a  few  others  to 
do  the  same.  When  the  tech 
calmly  explained  that  was  the 
power  switch  and  now  the 
printer  was  definitely  broken, 
the  nurse’s  reply  was,  ‘Can’t 
you  just  swap  it  with  a  spare 
one  you  have  somewhere?’  ” 

Pop  Quiz 

This  support  pilot  fish  divides 
users  into  two  groups:  those 
who  can  help  him  diagnose 
a  problem,  and  those  who 
lead  him  down  a  rathole  if  he 
believes  anything  they  say. 
And  he  finds  that  a  few  test 


questions  can  usually  identify 
which  is  which.  Case  in  point: 
a  user  who  says  that  since 
she  got  a  wireless  mouse,  her 
monitor  won’t  work  when  she 
starts  her  home  PC.  Fish:  Are 
the  cables  plugged  firmly  into 
computer  and  monitor?  User: 
“Yes.”  Are  the  power  cords 
plugged  into  a  multiple-outlet 
strip?  “Yes.”  Are  there  sepa¬ 
rate  power  switches  for  the 
computer,  monitor . . .  “Yes, 
yes.” . . .  The  keyboard  and 
mouse,  too?  “Yes,  yes,  yes, 
yes!”  Are  the  power  switches 
on  the  multiple-outlet  strip 
for  the  keyboard  and  mouse 
turned  on?  “Yes/”  Sighs  fish, 
“She  failed  the  test.  I  told  her, 
‘Well,  I’m  not  quite  sure  what 
the  problem  is.  Why  don’t  you 
try  plugging  in  a  standard 
mouse  and  call  me  back 
tomorrow?’  ” 

Oops! 

Desktop  tech  is  upgrading 
users  to  new  laptops  and 
transfers  this  user’s  data  to  a 
new  machine,  reports  a  pilot 


fish  on  the  scene.  “He  leaves 
the  old  laptop,  which  is  three 
years  old,  with  her  in  case 
there  are  files  she  forgot  to 
request  be  moved,”  fish  says. 
But  two  weeks  later,  when 
it’s  time  to  collect  the  old 
machines,  there’s  a  problem. 
“The  tech  calls  to  make  ar¬ 
rangements  to  pick  up  the 
laptop,”  says  fish.  “She  tells 
him  that  she  donated  it  to  her 
favorite  charity.  He  asks  why 
and  she  says  that  since  he 
left  it  with  her,  she  thought 
he  wanted  her  to  take  care  of 
disposal.” 

■  Sharky  will  gladly  take 
that  true  tale  of  IT  life  off 
your  hands.  Send  it  to  me  at 
sharky@computerworld.com. 
You’ll  score  a  sharp  Shark  shirt 
if  I  use  it. 


©  TIRED  OF  BUNGLING  BOSSES 

and  clueless  co-workers? 

Swim  on  over  to  Shark  Bait 
and  share  your  tales  of  woe: 

sharkbait.computerwoHd.com.  -  ™ 

©  CHECK  OUT  Sharky’s  blog,  browse  the 
Sharkives  and  sign  up  for  Shark  Tank  home 
delivery  at  computerworld.com/sharky. 
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■  FRANKLY  SPEAKING 


Fix  DNS  Now 

IF  YOU’RE  a  hard-core  IT  security  wonk,  you  already 
know  about  this.  If  not,  go  to  Doxpara.com  right  now 
and  click  on  the  button  that  says  “Check  my  DNS.”  That 
will  run  a  simple  test  to  tell  you  whether  your  name 
server  appears  to  be  vulnerable  to  DNS  cache  poisoning. 

No,  really  —  right  away.  Doxpara.com.  Go.  Now.  Well  wait. 


Did  the  test  say  that 
you’re  vulnerable?  Then 
you’ve  got  work  to  do. 

Did  it  say  that  you’re 
not?  You’ve  still  got  work 
to  do. 

Here’s  why:  Early  this 
year,  security  researcher 
Dan  Kaminsky  discov¬ 
ered  a  design  flaw  in 
the  Internet’s  Domain 
Name  System,  which 
translates  names  like 
Computerworld.com 
into  IP  addresses  such  as 
65.221.110.98. 

Kaminsky  didn’t  find 
a  bug  in  one  DNS  imple¬ 
mentation.  He  found 
a  vulnerability  that’s 
designed  into  every 
DNS  server.  That’s  right 
—  they’re  all  broken. 
Microsoft’s  version.  And 
Cisco’s.  And  BIND,  which 
is  widely  used  on  Unix 
and  Linux  servers. 

The  design  flaw  allows 
an  attacker  to  hijack  do¬ 
main  names.  Put  simply,  a 
victim  would  never  know 
where  the  Internet  was 
taking  him.  E-mail  could 
be  redirected.  Web  sites 
could  be  spoofed.  Every¬ 


thing  on  the  Internet  is  at 
risk  if  an  attacker  takes 
over  the  DNS. 

How  do  you  fix  a  fun¬ 
damental  design  flaw  that 
affects  the  entire  Internet? 
Answer:  You  can’t.  So  you 
don’t.  Instead,  you  find  a 
way  to  make  the  design 
flaw  much,  much  harder 
to  exploit. 

Kaminsky  contacted 
Paul  Vixie,  who  has  been 
responsible  for  the  BIND 
DNS  server  since  1988. 
Vixie  called  together 
the  top  DNS  experts. 

In  March,  they  secretly 
started  work  on  the  job 
of  patching  every  major 
DNS  implementation.  Not 
with  a  fix  —  that  would  be 
impossible  —  but  with  a 
work-around. 

On  July  8,  they  all 
rolled  out  their  patches  at 

■  This  is  not 
‘a  patch’  to  fix 
‘a  bug.’  This  is  a 
wake-up  call  for 
virtually  the  whole 
IT  industry. 


the  same  time  (see  story, 
page  12).  Microsoft.  Cisco. 
AT&T.  Sun.  Red  Hat.  The 
BIND  guys.  Everybody. 

This  is  not  “a  patch” 
to  fix  “a  bug.”  This  is  a 
wake-up  call  for  virtually 
the  whole  IT  industry. 

The  entire  Internet  needs 
fixing.  Yes,  right  now. 

And  that  includes  every 
corporate  network  and 
every  ISP. 

Here’s  the  good  news: 
Because  the  flaw  Kamin¬ 
sky  discovered  is  so  baked 
into  DNS,  because  it  lit¬ 
erally  can’t  be  fixed,  the 
only  good  way  to  block  it 
is  to  make  it  really  hard 
for  attackers  to  do  any¬ 
thing  bad  to  a  DNS  server. 
That’s  what  last  week’s 
patches  do. 

As  a  result,  those 
patches  protect  you  not 
only  from  the  design  flaw 
Kaminsky  discovered, 
but  also  from  lots  of 
other  bugs  that  have  been 
found  over  the  years 
—  and  from  bugs  that 
haven’t  yet  been  discov¬ 
ered.  It’s  the  biggest  and 
most  effective  Internet 
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security  fix  ever. 


You  want  these  patches 
on  your  DNS  servers.  You 
need  them.  If  you’re  a  CIO 
or  an  IT  manager  and  you 
failed  that  test  at  Doxpara.- 
com,  you  should  start  ask¬ 
ing  your  networking  guys 
when  you’ll  no  longer  be 
vulnerable. 

If  you  didn’t  fail  the 
test,  don’t  get  cocky.  Sure, 
the  DNS  server  you’re 
using  is  good.  But  are  all 
of  your  network’s  DNS 
servers  safe?  What  about 
the  DNS  servers  of  ISPs 
that  your  users  connect  to 
when  they’re  on  the  road 
or  working  from  home? 
What  about  business 
partners  who  connect  to 
your  systems  across  the 
Internet?  They  all  need 
fixing. 

And  it  won’t  all  be  as 
simple  as  testing  and 
installing  patches.  Some 
older  DNS  servers  haven’t 
been  patched.  They’ll 
need  upgrades.  Yahoo, 
for  example,  uses  BIND 
Version  8.  There’s  no 
patch  for  that,  so  Yahoo  is 
upgrading  its  entire  infra¬ 
structure. 

See?  There’s  work  to  do. 
Get  to  it.  Now.  Don’t  wait 
for  the  bad  guys  to  figure 
out  how  to  exploit  this 
DNS  flaw. 

Because  once  they  do, 
they  won’t  wait  for  you.  ■ 
Frank  Hayes  is  Computer- 
world’s  senior  news 
columnist.  Contact  him 
at  frank_hayes@ 
computerworld.com. 


Work  with  InterSystems. 


The  fastest  way  to  have  a  connected  workplace. 


Work  with  InterSystems  Ensemble®  software  to  raise 
productivity  and  lower  costs. 

Ensemble  is  a  rapid  integration  and  development 
platform  that  makes  it  much  easier  to  connect  applications, 
processes,  and  people.  IT  managers  who  have  switched 
from  other  integration  products  report  they  can  finish 
projects  in  half  the  time  with  Ensemble. 

For  your  future  development  efforts,  if  you  embed 
Ensemble  you  can  create  a  new  class  of  applications  that 
are  connectable.  Plus,  you'll  be  able  to  enhance  legacy 
applications  with  adaptable  workflow,  browser-based  user 


interfaces,  rules-based  business  processes,  dashboards, 
and  other  innovations  -  without  rewriting  your  code. 

Ensemble's  technology  stack  includes  the  world’s 
fastest  object  database  -  InterSystems  Cache®.  Cache’s 
lightning  speed,  massive  scalability,  and  rapid  development 
environment  give  Ensemble  unmatched  capabilities. 

For  30  years,  we’ve  been  a  creative  technology 
partner  for  leading  enterprises  that  rely  on  the  high 
performance  of  our  products.  Ensemble  and  Cache  are 
so  reliable  that  the  world's  best  hospitals  use  them  for 
life-or-death  systems. 


ImterSysiems 

See  product  demonstrations  at  InterSystems.com/Connectl6A 
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To  learn  more,  call  1-888-277-9618  or  visit  hp.com/go/BeReady36 


